Suppressed refresh tokens when client credentials are used to comply with OAuth 2.0 section 4.4.3.

1 files changed, 13 insertions, 0 deletions

diff --git a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
index c5c93b5..534929b 100644
--- a/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
+++ b/src/DotNetOpenAuth.OAuth2/OAuth2/Messages/AccessTokenSuccessResponse.cs
@@ -95,5 +95,18 @@ namespace DotNetOpenAuth.OAuth2.Messages {
 		/// Gets or sets a value indicating whether a refresh token is or should be included in the response.
 		/// </summary>
 		internal bool HasRefreshToken { get; set; }
+
+		/// <summary>
+		/// Checks the message state for conformity to the protocol specification
+		/// and throws an exception if the message is invalid.
+		/// </summary>
+		/// <exception cref="ProtocolException">Thrown if the message is invalid.</exception>
+		protected override void EnsureValidMessage() {
+			base.EnsureValidMessage();
+
+			// Per OAuth 2.0 section 4.4.3 (draft 23), refresh tokens should never be included
+			// in a response to an access token request that used the client credential grant type.
+			ErrorUtilities.VerifyProtocol(!this.HasRefreshToken || !(this.OriginatingRequest is AccessTokenClientCredentialsRequest), OAuthStrings.RefreshTokenInappropriateForRequestType, this.OriginatingRequest.GetType().Name);
+		}
 	}
 }