diff --git a/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs b/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs
index 6116fea7..99114878 100644
--- a/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs
+++ b/src/OpenIddict.Server/Internal/OpenIddictServerProvider.Authentication.cs
@@ -315,6 +315,9 @@ namespace OpenIddict.Server.Internal
             if (await applicationManager.IsConfidentialAsync(application) &&
                 context.Request.HasResponseType(OpenIddictConstants.ResponseTypes.Token))
             {
+                logger.LogError("The authorization request was rejected because the confidential application '{ClientId}' " +
+                                "was not allowed to retrieve an access token from the authorization endpoint.", context.ClientId);
+
                 context.Reject(
                     error: OpenIddictConstants.Errors.UnauthorizedClient,
                     description: "The specified 'response_type' parameter is not valid for this client application.");