diff --git a/audit/api/src/main/java/org/keycloak/audit/Errors.java b/audit/api/src/main/java/org/keycloak/audit/Errors.java index 4b0d41d839..04be394937 100755 --- a/audit/api/src/main/java/org/keycloak/audit/Errors.java +++ b/audit/api/src/main/java/org/keycloak/audit/Errors.java @@ -10,6 +10,7 @@ public interface Errors { String CLIENT_NOT_FOUND = "client_not_found"; String CLIENT_DISABLED = "client_disabled"; String INVALID_CLIENT_CREDENTIALS = "invalid_client_credentials"; + String INVALID_CLIENT = "invalid_client"; String USER_NOT_FOUND = "user_not_found"; String USER_DISABLED = "user_disabled"; diff --git a/services/src/main/java/org/keycloak/services/resources/TokenService.java b/services/src/main/java/org/keycloak/services/resources/TokenService.java index d2e0e3d759..aef626c771 100755 --- a/services/src/main/java/org/keycloak/services/resources/TokenService.java +++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java @@ -761,8 +761,16 @@ public class TokenService { throw new BadRequestException("Client is not enabled", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build()); } + if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) { + Map error = new HashMap(); + error.put(OAuth2Constants.ERROR, "invalid_client"); + error.put(OAuth2Constants.ERROR_DESCRIPTION, "Bearer-only not allowed"); + audit.error(Errors.INVALID_CLIENT); + throw new BadRequestException("Bearer-only not allowed", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build()); + } + if (!client.isPublicClient()) { - if (!client.validateSecret(clientSecret)) { + if (clientSecret == null || !client.validateSecret(clientSecret)) { Map error = new HashMap(); error.put(OAuth2Constants.ERROR, "unauthorized_client"); audit.error(Errors.INVALID_CLIENT_CREDENTIALS);