diff --git a/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs b/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs
index c78c3150..d7e89185 100644
--- a/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs
+++ b/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs
@@ -295,16 +295,15 @@ namespace OpenIddict.Server
             // from the other provider methods without having to call the store twice.
             context.Request.SetProperty($"{OpenIddictConstants.Properties.Application}:{context.ClientId}", application);
 
-            // To prevent downgrade attacks, ensure that authorization requests returning a token directly from
-            // the authorization endpoint are rejected if the client_id corresponds to a confidential application.
+            // To prevent downgrade attacks, ensure that authorization requests returning an access token directly
+            // from the authorization endpoint are rejected if the client_id corresponds to a confidential application.
             // Note: when using the authorization code grant, ValidateTokenRequest is responsible of rejecting
             // the token request if the client_id corresponds to an unauthenticated confidential client.
             if (await applications.IsConfidentialAsync(application) &&
-               (context.Request.HasResponseType(OpenIdConnectConstants.ResponseTypes.IdToken) ||
-                context.Request.HasResponseType(OpenIdConnectConstants.ResponseTypes.Token)))
+                context.Request.HasResponseType(OpenIdConnectConstants.ResponseTypes.Token))
             {
                 context.Reject(
-                    error: OpenIdConnectConstants.Errors.UnsupportedResponseType,
+                    error: OpenIdConnectConstants.Errors.UnauthorizedClient,
                     description: "The specified 'response_type' parameter is not valid for this client application.");
 
                 return;
diff --git a/test/OpenIddict.Server.Tests/Internal/OpenIddictServerProviderTests.Authentication.cs b/test/OpenIddict.Server.Tests/Internal/OpenIddictServerProviderTests.Authentication.cs
index 60984c13..7ae179d5 100644
--- a/test/OpenIddict.Server.Tests/Internal/OpenIddictServerProviderTests.Authentication.cs
+++ b/test/OpenIddict.Server.Tests/Internal/OpenIddictServerProviderTests.Authentication.cs
@@ -511,10 +511,9 @@ namespace OpenIddict.Server.Tests
         [Theory]
         [InlineData("code id_token token")]
         [InlineData("code token")]
-        [InlineData("id_token")]
         [InlineData("id_token token")]
         [InlineData("token")]
-        public async Task ValidateAuthorizationRequest_ImplicitOrHybridRequestIsRejectedWhenClientIsConfidential(string type)
+        public async Task ValidateAuthorizationRequest_AnAccessTokenCannotBeReturnedWhenClientIsConfidential(string type)
         {
             // Arrange
             var application = new OpenIddictApplication();
@@ -546,7 +545,7 @@ namespace OpenIddict.Server.Tests
             });
 
             // Assert
-            Assert.Equal(OpenIdConnectConstants.Errors.UnsupportedResponseType, response.Error);
+            Assert.Equal(OpenIdConnectConstants.Errors.UnauthorizedClient, response.Error);
             Assert.Equal("The specified 'response_type' parameter is not valid for this client application.", response.ErrorDescription);
 
             Mock.Get(manager).Verify(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()), Times.Once());