Proper way to check permissions for client credential grant type

[binbrain]

Since client credentials grant type does not authenticate a user, what should the permission check be in the permission_class? If I hook into the has_permission function and inspect the request object, I see its not as simple as just returning True for the following reasons. (On latest 3.14.0 FYI)

1. With a valid access token - Reach has_permission with an request.user empty and a valid request.auth.token.
2. With an expired access token - Reach has_permission as request.user.AnonymousUser with an empty request.auth.
3. With an invalid access token - Never reaches (FYI only, this is fine)

2 is the concerning part and why you can't just return True. I'm wondering if permissions.py needs some special logic to handle the client credential Oauth2 flow? Or at least an abstract method to suggest what to do in this case.