diff --git a/server/deviceflowhandlers.go b/server/deviceflowhandlers.go
index 95fed3b3c3..87dad9be65 100644
--- a/server/deviceflowhandlers.go
+++ b/server/deviceflowhandlers.go
@@ -331,7 +331,7 @@ func (s *Server) handleDeviceCallback(w http.ResponseWriter, r *http.Request) {
 			}
 			return
 		}
-		if client.Secret != deviceReq.ClientSecret {
+		if !client.Public && client.Secret != deviceReq.ClientSecret {
 			s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 			return
 		}