From 17411f59e70ed94b13af8504f4991d7b2c186834 Mon Sep 17 00:00:00 2001
From: Manoj Garai <manoj.garai@stfc.ac.uk>
Date: Thu, 14 Mar 2024 11:48:11 +0000
Subject: [PATCH] Check for suspended clients before issuing new AT

---
 .../service/impl/DefaultOAuth2ProviderTokenService.java       | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
index e3dc32d56..e12d99da5 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@@ -176,6 +176,10 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
         throw new InvalidClientException("Client not found: " + request.getClientId());
       }
 
+      if (!client.isActive()) {
+        throw new InvalidClientException("Client is suspended: " + request.getClientId());
+      }
+
       // handle the PKCE code challenge if present
       if (request.getExtensions().containsKey(CODE_CHALLENGE)) {
         String challenge = (String) request.getExtensions().get(CODE_CHALLENGE);