diff --git a/internal/oidc/token_exchange.go b/internal/oidc/token_exchange.go
index eed531f1..d6dc2d29 100644
--- a/internal/oidc/token_exchange.go
+++ b/internal/oidc/token_exchange.go
@@ -40,8 +40,10 @@ type TokenExchangeHandler struct {
 	accessTokenStorage  oauth2.AccessTokenStorage
 }
 
+var _ fosite.TokenEndpointHandler = (*TokenExchangeHandler)(nil)
+
 func (t *TokenExchangeHandler) HandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) error {
-	if !(requester.GetGrantTypes().ExactOne("urn:ietf:params:oauth:grant-type:token-exchange")) {
+	if !t.CanHandleTokenEndpointRequest(requester) {
 		return errors.WithStack(fosite.ErrUnknownRequest)
 	}
 	return nil
@@ -139,3 +141,11 @@ func (t *TokenExchangeHandler) validateAccessToken(ctx context.Context, requeste
 	}
 	return originalRequester, nil
 }
+
+func (t *TokenExchangeHandler) CanSkipClientAuth(_ fosite.AccessRequester) bool {
+	return false
+}
+
+func (t *TokenExchangeHandler) CanHandleTokenEndpointRequest(requester fosite.AccessRequester) bool {
+	return requester.GetGrantTypes().ExactOne("urn:ietf:params:oauth:grant-type:token-exchange")
+}