Allow both flows authorization code and client credentials. This scenario might be found when the same client supports user authentication as well as service to service authentication. Such a client is trusted (whitelisted).

openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java

@@ -394,9 +394,11 @@ public class DynamicClientRegistrationEndpoint {
 		// set default grant types if needed
 		if (newClient.getGrantTypes() == null || newClient.getGrantTypes().isEmpty()) {
 			if (newClient.getScope().contains("offline_access")) { // client asked for offline access
-				newClient.setGrantTypes(Sets.newHashSet("authorization_code", "refresh_token")); // allow authorization code and refresh token grant types by default
+				// allow authorization code, client credentials and refresh token grant types by default
+				newClient.setGrantTypes(Sets.newHashSet("authorization_code", "client_credentials", "refresh_token"));
 			} else {
-				newClient.setGrantTypes(Sets.newHashSet("authorization_code")); // allow authorization code grant type by default
+				// allow authorization code grant type by default
+				newClient.setGrantTypes(Sets.newHashSet("authorization_code", "client_credentials"));
 			}
 		}
 
@@ -418,8 +420,7 @@ public class DynamicClientRegistrationEndpoint {
 		if (newClient.getGrantTypes().contains("authorization_code")) {
 
 			// check for incompatible grants
-			if (newClient.getGrantTypes().contains("implicit") ||
+			if (newClient.getGrantTypes().contains("implicit")) {
-					newClient.getGrantTypes().contains("client_credentials")) {
 				// return an error, you can't have these grant types together
 				throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
 			}
@@ -430,15 +431,12 @@ public class DynamicClientRegistrationEndpoint {
 			}
 
 			newClient.getResponseTypes().add("code");
-
-
 		}
 
 		if (newClient.getGrantTypes().contains("implicit")) {
 
 			// check for incompatible grants
-			if (newClient.getGrantTypes().contains("authorization_code") ||
+			if (newClient.getGrantTypes().contains("authorization_code")) {
-					newClient.getGrantTypes().contains("client_credentials")) {
 				// return an error, you can't have these grant types together
 				throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
 			}
@@ -457,13 +455,6 @@ public class DynamicClientRegistrationEndpoint {
 
 		if (newClient.getGrantTypes().contains("client_credentials")) {
 			
-			// check for incompatible grants
-			if (newClient.getGrantTypes().contains("authorization_code") ||
-					newClient.getGrantTypes().contains("implicit")) {
-				// return an error, you can't have these grant types together
-				throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
-			}
-
 			if (!newClient.getResponseTypes().isEmpty()) {
 				// return an error, you can't have this grant type and response type together
 				throw new ValidationException("invalid_client_metadata", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes(), HttpStatus.BAD_REQUEST);