Allow both flows authorization code and client credentials. This scenario might be found when the same client supports user authentication as well as service to service authentication. Such a client is trusted (whitelisted).

Author: Cosmin Cojocar

openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java

@@ -394,9 +394,11 @@ private ClientDetailsEntity validateGrantTypes(ClientDetailsEntity newClient) th
 // set default grant types if needed
 if (newClient.getGrantTypes() == null || newClient.getGrantTypes().isEmpty()) {
 if (newClient.getScope().contains("offline_access")) { // client asked for offline access
-newClient.setGrantTypes(Sets.newHashSet("authorization_code", "refresh_token")); // allow authorization code and refresh token grant types by default
+// allow authorization code, client credentials and refresh token grant types by default
+newClient.setGrantTypes(Sets.newHashSet("authorization_code", "client_credentials", "refresh_token"));
 } else {
-newClient.setGrantTypes(Sets.newHashSet("authorization_code")); // allow authorization code grant type by default
+// allow authorization code grant type by default
+newClient.setGrantTypes(Sets.newHashSet("authorization_code", "client_credentials"));
 }
 }
 
@@ -418,8 +420,7 @@ private ClientDetailsEntity validateGrantTypes(ClientDetailsEntity newClient) th
 if (newClient.getGrantTypes().contains("authorization_code")) {
 
 // check for incompatible grants
-if (newClient.getGrantTypes().contains("implicit") ||
-newClient.getGrantTypes().contains("client_credentials")) {
+if (newClient.getGrantTypes().contains("implicit")) {
 // return an error, you can't have these grant types together
 throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
 }
@@ -430,15 +431,12 @@ private ClientDetailsEntity validateGrantTypes(ClientDetailsEntity newClient) th
 }
 
 newClient.getResponseTypes().add("code");
-
-
 }
 
 if (newClient.getGrantTypes().contains("implicit")) {
 
 // check for incompatible grants
-if (newClient.getGrantTypes().contains("authorization_code") ||
-newClient.getGrantTypes().contains("client_credentials")) {
+if (newClient.getGrantTypes().contains("authorization_code")) {
 // return an error, you can't have these grant types together
 throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
 }
@@ -456,14 +454,7 @@ private ClientDetailsEntity validateGrantTypes(ClientDetailsEntity newClient) th
 }
 
 if (newClient.getGrantTypes().contains("client_credentials")) {
-
-// check for incompatible grants
-if (newClient.getGrantTypes().contains("authorization_code") ||
-newClient.getGrantTypes().contains("implicit")) {
-// return an error, you can't have these grant types together
-throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
-}
-
+
 if (!newClient.getResponseTypes().isEmpty()) {
 // return an error, you can't have this grant type and response type together
 throw new ValidationException("invalid_client_metadata", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes(), HttpStatus.BAD_REQUEST);