Disabled clients can still be used for client secret authentication.

[acollard]

From ClientSecretValidator.cs:

// load client
var client = await _clients.FindClientByIdAsync(parsedSecret.Id);
if (client == null)
{
  await RaiseFailureEvent(parsedSecret.Id, "Unknown client");

  Logger.Info("No client with that id found. aborting");
  return fail;
}

This should check if the client is null or disabled.

if (client == null || !client.Enabled)

This issue is also present in TokenValidator.cs.
https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Validation/TokenValidator.cs#L114
https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Validation/TokenValidator.cs#L267

AuthorizeRequestValidator.cs handles it correctly.

[acollard]

I just noticed your InMemoryClientStore.cs filters out disabled clients internally. In my scenario we use a custom IClientStore which is why I am seeing the issue.

Off the top of my head I can think of two reasons why the disabled flag should probably be handled outside:

1. Users implementing the interface wouldn't expect disabled clients to be filtered out.
2. A user may want to use the IClientStore outside of the authentication process, maybe an administrative page that lists the current clients and their state.