diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
index a73536133..86150d0e7 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
@@ -97,7 +97,15 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
 					throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");
 				}
 
-				if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) &&
+				if (client.getTokenEndpointAuthMethod() == null ||
+						client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) ||
+						client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) ||
+						client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST)) {
+					
+					// this client doesn't support this type of authentication
+					throw new AuthenticationServiceException("Client does not support this authentication method.");
+					
+				} else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) &&
 						(alg.equals(JWSAlgorithm.RS256)
 								|| alg.equals(JWSAlgorithm.RS384)
 								|| alg.equals(JWSAlgorithm.RS512))) {
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
index 5c2d467d3..26656f1a3 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
@@ -161,7 +161,13 @@ public class ClientAPI {
 			client = clientService.generateClientId(client);
 		}		
 		
-		if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) 
+		if (client.getTokenEndpointAuthMethod() == null || 
+				client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
+			// we shouldn't have a secret for this client
+			
+			client.setClientSecret(null);
+			
+		} else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) 
 				|| client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) 
 				|| client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) {
 			
@@ -183,11 +189,6 @@ public class ClientAPI {
 			// otherwise we shouldn't have a secret for this client
 			client.setClientSecret(null);
 			
-		} else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
-			// we shouldn't have a secret for this client
-			
-			client.setClientSecret(null);
-			
 		} else {
 			
 			logger.error("unknown auth method");
@@ -256,7 +257,13 @@ public class ClientAPI {
 			client = clientService.generateClientId(client);
 		}
 
-		if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) 
+		if (client.getTokenEndpointAuthMethod() == null ||
+				client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
+			// we shouldn't have a secret for this client
+			
+			client.setClientSecret(null);
+			
+		} else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) 
 				|| client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) 
 				|| client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) {
 			
@@ -278,11 +285,6 @@ public class ClientAPI {
 			// otherwise we shouldn't have a secret for this client
 			client.setClientSecret(null);
 			
-		} else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
-			// we shouldn't have a secret for this client
-			
-			client.setClientSecret(null);
-			
 		} else {
 			
 			logger.error("unknown auth method");