diff --git a/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs b/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs
index 9c47b602..8781bc4d 100644
--- a/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs
+++ b/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs
@@ -308,6 +308,9 @@ namespace OpenIddict.Server.Internal
             if (await _applicationManager.IsConfidentialAsync(application) &&
                 context.Request.HasResponseType(OpenIddictConstants.ResponseTypes.Token))
             {
+                _logger.LogError("The authorization request was rejected because the confidential application '{ClientId}' " +
+                                 "was not allowed to retrieve an access token from the authorization endpoint.", context.ClientId);
+
                 context.Reject(
                     error: OpenIddictConstants.Errors.UnauthorizedClient,
                     description: "The specified 'response_type' parameter is not valid for this client application.");