.../Core/Entity/EntityAccessControlHandler.php     |  6 ++++++
 .../src/Plugin/rest/resource/EntityResource.php    | 24 ++++++++--------------
 2 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
index 1530693..805c0f2 100644
--- a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
+++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
@@ -350,6 +350,12 @@ public function fieldAccess($operation, FieldDefinitionInterface $field_definiti
    *   The access result.
    */
   protected function checkFieldAccess($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
+    if ($operation === 'edit') {
+      $access = $field_definition->isReadOnly() ? AccessResult::forbidden() : AccessResult::allowed();
+      $access->addCacheableDependency($field_definition);
+      return $access;
+    }
+
     return AccessResult::allowed();
   }
 
diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
index 91ce482..40a2546 100644
--- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
@@ -213,23 +213,15 @@ public function patch(EntityInterface $original_entity, EntityInterface $entity
     foreach ($entity->_restSubmittedFields as $field_name) {
       $field = $entity->get($field_name);
 
-      // Entity key fields need special treatment: together they uniquely
-      // identify the entity. Therefore it does not make sense to modify any of
-      // them. However, rather than throwing an error, we just ignore them as
-      // long as their specified values match their current values.
-      if (in_array($field_name, $entity_keys, TRUE)) {
-        // Unchanged values for entity keys don't need access checking.
-        if ($original_entity->get($field_name)->getValue() === $entity->get($field_name)->getValue()) {
-          continue;
-        }
-        // It is not possible to set the language to NULL as it is automatically
-        // re-initialized. As it must not be empty, skip it if it is.
-        elseif (isset($entity_keys['langcode']) && $field_name === $entity_keys['langcode'] && $field->isEmpty()) {
-          continue;
-        }
+      // Allow sending read-only fields, as long as their value is unchanged.
+      // This should not be necessary, but due to a design flaw in the Entity
+      // Field API: the validation logic can only use the pre-update values, not
+      // the post-update values.
+      // @see \Drupal\Core\Entity\EntityAccessControlHandlerInterface::fieldAccess()
+      if ($field->getFieldDefinition()->isReadOnly() && $original_entity->get($field_name)->getValue() === $entity->get($field_name)->getValue()) {
+        continue;
       }
-
-      if (!$original_entity->get($field_name)->access('edit')) {
+      elseif (!$original_entity->get($field_name)->access('edit')) {
         throw new AccessDeniedHttpException("Access denied on updating field '$field_name'.");
       }
       $original_entity->set($field_name, $field->getValue());