refactor: fixup grant_types and response_types mismatch instead of rejecting

panva · panva · commit 81538bf55ae3 · 2026-03-18T12:48:49.000+01:00
diff --git a/docs/README.md b/docs/README.md
@@ -4531,28 +4531,27 @@ const signedIn = !!session.accountId;
 
 ### Client Credentials only clients
 
-The `redirect_uris is mandatory property` error occurs but Client Credential clients
-don't need `redirect_uris` or `response_types`... This error appears
-because they are required properties, but they can be empty...
+Client Credential clients don't use the authorization endpoint, so set
+`response_types` to an empty array. The `redirect_uris` will default to `[]`
+automatically.
 
 ```js
 {
   // ... rest of the client configuration
-  redirect_uris: [],
   response_types: [],
   grant_types: ['client_credentials']
 }
 ```
 
 ### Resource Server only clients (e.g. for token introspection)
 
-The `redirect_uris is mandatory property` error occurs but the resource server needs
-none. This error appears because they are required properties, but they can be empty...
+Resource server clients don't use any grants or the authorization endpoint, so set
+`response_types` to an empty array. The `redirect_uris` will default to `[]`
+automatically.
 
 ```js
 {
   // ... rest of the client configuration
-  redirect_uris: [],
   response_types: [],
   grant_types: []
 }
diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
@@ -279,10 +279,6 @@ export default function getSchema(provider) {
 
       const responseTypes = new Set(this.response_types.map((rt) => rt.split(' ')).flat());
 
-      if (this.grant_types.some((type) => ['authorization_code', 'implicit'].includes(type)) && !this.response_types.length) {
-        this.invalidate('response_types must contain members');
-      }
-
       if (responseTypes.size && !this.redirect_uris.length) {
         const { pushedAuthorizationRequests: par } = features;
         if (
@@ -301,13 +297,19 @@ export default function getSchema(provider) {
       }
 
       if (responseTypes.has('code') && !this.grant_types.includes('authorization_code')) {
-        this.invalidate("grant_types must contain 'authorization_code' when code is amongst response_types");
+        this.grant_types.push('authorization_code');
       }
 
-      if (responseTypes.has('token') || responseTypes.has('id_token')) {
-        if (!this.grant_types.includes('implicit')) {
-          this.invalidate("grant_types must contain 'implicit' when 'id_token' or 'token' are amongst response_types");
-        }
+      if ((responseTypes.has('token') || responseTypes.has('id_token')) && !this.grant_types.includes('implicit')) {
+        this.grant_types.push('implicit');
+      }
+
+      if (this.grant_types.includes('implicit') && !responseTypes.has('id_token') && !responseTypes.has('token')) {
+        this.grant_types.splice(this.grant_types.indexOf('implicit'), 1);
+      }
+
+      if (this.grant_types.includes('authorization_code') && !responseTypes.has('code')) {
+        this.grant_types.splice(this.grant_types.indexOf('authorization_code'), 1);
       }
 
       {
diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
@@ -373,20 +373,31 @@ describe('Client metadata validation', () => {
     defaultsTo(this.title, ['authorization_code']);
     mustBeArray(this.title);
     allows(this.title, ['authorization_code', 'refresh_token']);
+    allows(this.title, [], { response_types: ['none'] });
     rejects(this.title, [123], /must only contain strings$/);
-    rejects(this.title, []);
     rejects(this.title, ['not-a-type']);
-    rejects(this.title, ['implicit'], undefined, {
+
+    // grant types auto-fixup
+    allows(this.title, [], undefined, undefined, (client) => {
+      expect(client.metadata()).to.have.property('grant_types').and.deep.eql(['authorization_code']);
+    });
+    allows(this.title, ['implicit'], {
       // misses authorization_code
       response_types: ['id_token', 'code'],
+    }, undefined, (client) => {
+      expect(client.metadata()).to.have.property('grant_types').and.deep.eql(['implicit', 'authorization_code']);
     });
-    rejects(this.title, ['authorization_code'], undefined, {
-      // misses implicit
+    allows(this.title, ['authorization_code'], {
+      // misses code in response_types
       response_types: ['id_token'],
+    }, undefined, (client) => {
+      expect(client.metadata()).to.have.property('grant_types').and.deep.eql(['implicit']);
     });
-    rejects(this.title, ['authorization_code'], undefined, {
-      // misses implicit
-      response_types: ['token'],
+    allows(this.title, ['authorization_code', 'implicit'], {
+      // misses token or id_token in response_types
+      response_types: ['code'],
+    }, undefined, (client) => {
+      expect(client.metadata()).to.have.property('grant_types').and.deep.eql(['authorization_code']);
     });
   });
 
@@ -679,7 +690,9 @@ describe('Client metadata validation', () => {
     );
 
     rejects(this.title, [123], /must only contain strings$/);
-    rejects(this.title, [], /must contain members$/);
+    allows(this.title, [], undefined, undefined, (client) => {
+      expect(client.metadata()).to.have.property('grant_types').and.deep.eql([]);
+    });
     rejects(this.title, ['not-a-type']);
     rejects(this.title, ['not-a-type', 'none']);
   });
diff --git a/test/configuration/custom_client_metadata.test.js b/test/configuration/custom_client_metadata.test.js
@@ -147,7 +147,7 @@ describe('extraClientMetadata configuration', () => {
     expect(validator.calledWith(undefined, 'client_name', undefined)).to.be.true;
   });
 
-  it('should not allow customization to introduce grant_types and response_types mismatch', async () => {
+  it('should allow customization to set grant_types that get auto-fixed based on response_types', async () => {
     const provider = new Provider('http://localhost:3000', {
       extraClientMetadata: {
         properties: ['foo'],
@@ -164,16 +164,8 @@ describe('extraClientMetadata configuration', () => {
       ],
     });
 
-    try {
-      await provider.Client.find('client');
-      throw new Error('expected a throw from the above');
-    } catch (err) {
-      expect(err).to.have.property('message', 'invalid_client_metadata');
-      expect(err).to.have.property(
-        'error_description',
-        "grant_types must contain 'authorization_code' when code is amongst response_types",
-      );
-    }
+    const client = await provider.Client.find('client');
+    expect(client.metadata()).to.have.property('grant_types').and.deep.eql(['authorization_code']);
   });
 
   it('should not allow customization to remove redirect_uris when response_types need them', async () => {
