From ce61ab5779e335fb201196f764ebb047cb5e19db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Tue, 2 Aug 2016 19:07:52 +0200
Subject: [PATCH] Relax the authorization request validation policy to allow
 confidential clients to partially use the hybrid flow

---
 .../OpenIddictProvider.Authentication.cs           | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs b/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs
index 324606d1..45f30d3e 100644
--- a/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs
+++ b/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs
@@ -243,14 +243,16 @@ namespace OpenIddict.Infrastructure {
                 return;
             }
 
-            // To prevent downgrade attacks, ensure that authorization requests using the hybrid/implicit
-            // flow are rejected if the client identifier corresponds to a confidential application.
-            // Note: when using the authorization code grant, ValidateTokenRequest is responsible of
-            // rejecting the token request if the client_id corresponds to an unauthenticated confidential client.
-            if (await services.Applications.IsPublicAsync(application) && !context.Request.IsAuthorizationCodeFlow()) {
+            // To prevent downgrade attacks, ensure that authorization requests returning an access token directly
+            // from the authorization endpoint are rejected if the client_id corresponds to a confidential application.
+            // Note: when using the authorization code grant, ValidateTokenRequest is responsible of rejecting
+            // the token request if the client_id corresponds to an unauthenticated confidential client.
+            if (await services.Applications.IsConfidentialAsync(application) &&
+                context.Request.HasResponseType(OpenIdConnectConstants.ResponseTypes.Token)) {
                 context.Reject(
                     error: OpenIdConnectConstants.Errors.InvalidRequest,
-                    description: "Confidential clients can only use response_type=code.");
+                    description: "Confidential clients are not allowed to retrieve " +
+                                 "an access token from the authorization endpoint.");
 
                 return;
             }