diff --git a/audit/api/src/main/java/org/keycloak/audit/Errors.java b/audit/api/src/main/java/org/keycloak/audit/Errors.java
index 4b0d41d..04be394 100755
--- a/audit/api/src/main/java/org/keycloak/audit/Errors.java
+++ b/audit/api/src/main/java/org/keycloak/audit/Errors.java
@@ -10,6 +10,7 @@ public interface Errors {
String CLIENT_NOT_FOUND = "client_not_found";
String CLIENT_DISABLED = "client_disabled";
String INVALID_CLIENT_CREDENTIALS = "invalid_client_credentials";
+ String INVALID_CLIENT = "invalid_client";
String USER_NOT_FOUND = "user_not_found";
String USER_DISABLED = "user_disabled";
diff --git a/services/src/main/java/org/keycloak/services/resources/TokenService.java b/services/src/main/java/org/keycloak/services/resources/TokenService.java
index d2e0e3d..aef626c 100755
--- a/services/src/main/java/org/keycloak/services/resources/TokenService.java
+++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java
@@ -761,8 +761,16 @@ public class TokenService {
throw new BadRequestException("Client is not enabled", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
}
+ if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
+ Map<String, String> error = new HashMap<String, String>();
+ error.put(OAuth2Constants.ERROR, "invalid_client");
+ error.put(OAuth2Constants.ERROR_DESCRIPTION, "Bearer-only not allowed");
+ audit.error(Errors.INVALID_CLIENT);
+ throw new BadRequestException("Bearer-only not allowed", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
+ }
+
if (!client.isPublicClient()) {
- if (!client.validateSecret(clientSecret)) {
+ if (clientSecret == null || !client.validateSecret(clientSecret)) {
Map<String, String> error = new HashMap<String, String>();
error.put(OAuth2Constants.ERROR, "unauthorized_client");
audit.error(Errors.INVALID_CLIENT_CREDENTIALS);
