From 46daf6359903a6837ebcc2843ab8a17403a3f033 Mon Sep 17 00:00:00 2001
From: Matt Allan <mattallan@fastmail.com>
Date: Mon, 22 Jul 2019 18:27:12 -0400
Subject: [PATCH] Always validate auth code clients, even when public

The validateClient method is called for public clients when using the
refresh_token and password grant type and the interface allows passing
a null secret, so it's not necessary to skip calling the method for the
authorization_code grant type.
---
 src/Grant/AuthCodeGrant.php | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php
index f85a08981..18ab89a41 100644
--- a/src/Grant/AuthCodeGrant.php
+++ b/src/Grant/AuthCodeGrant.php
@@ -95,14 +95,7 @@ public function respondToAccessTokenRequest(
         ResponseTypeInterface $responseType,
         DateInterval $accessTokenTTL
     ) {
-        list($clientId) = $this->getClientCredentials($request);
-
-        $client = $this->getClientEntityOrFail($clientId, $request);
-
-        // Only validate the client if it is confidential
-        if ($client->isConfidential()) {
-            $this->validateClient($request);
-        }
+        $client = $this->validateClient($request);
 
         $encryptedAuthCode = $this->getRequestParameter('code', $request, null);