From d75bba218d4a7c4cbc36d782d7a86db4eaf67b58 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Thu, 10 Mar 2016 12:30:48 -0500
Subject: [PATCH] forbid password grant type in HEART mode

---
 .../service/impl/DefaultOAuth2ClientDetailsEntityService.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
index 122411a5f..132b7389f 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
@@ -272,6 +272,10 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 
 			}
 		
+			if (client.getGrantTypes().contains("password")) {
+				throw new IllegalArgumentException("[HEART mode] Password grant type is forbidden");
+			}
+
 			// make sure we don't have a client secret
 			if (!Strings.isNullOrEmpty(client.getClientSecret())) {
 				throw new IllegalArgumentException("[HEART mode] Client secrets are not allowed");