redirect_uri is required for client_credentials consumers

Problem/Motivation

redirect_uri is used by the authorization_code to ensure that the (web/mobile) application requesting the authorization code is the correct one. In the client_credentials grant type it's not used because it's understood there is a direct connection between the client and server (rather than going through a user's browser) which is authenticated with a client_id and secret. This means no redirects take place and redirect_uri is not needed.

redirect_uri is currently part of a multi-value field which is always required. This means that consumers which only use the client_credentials grant type (i.e. fully machine-to-machine applications) can not be created without filling in a dummy redirect URI.

Steps to reproduce

Proposed resolution

Make the field only required under the "authorization code" field group when that grant type is enabled. Similar to what happens for fields such as "Use PKCE".

Remaining tasks

User interface changes

API changes

Data model changes