From c98291a6a7f34beb276ec044affe6c272fd1f1d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <tim+github@zitadel.com>
Date: Thu, 21 Sep 2023 12:19:03 +0300
Subject: [PATCH] check if client credential client is authenticated

---
 pkg/op/server_http.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pkg/op/server_http.go b/pkg/op/server_http.go
index cfd39ca..ee5f706 100644
--- a/pkg/op/server_http.go
+++ b/pkg/op/server_http.go
@@ -269,14 +269,17 @@ func (s *webServer) tokenExchangeHandler(w http.ResponseWriter, r *http.Request,
 }
 
 func (s *webServer) clientCredentialsHandler(w http.ResponseWriter, r *http.Request, client Client) {
+	if client.AuthMethod() == oidc.AuthMethodNone {
+		err := oidc.ErrInvalidClient().WithDescription("client must be authenticated")
+		WriteError(w, r, err, s.logger)
+		return
+	}
+
 	request, err := decodeRequest[oidc.ClientCredentialsRequest](s.decoder, r, false)
 	if err != nil {
 		WriteError(w, r, err, s.logger)
 		return
 	}
-
-	// TODO: is a public client allowed here?
-
 	resp, err := s.server.ClientCredentialsExchange(r.Context(), newClientRequest(r, request, client))
 	if err != nil {
 		WriteError(w, r, err, s.logger)