remove implicit grant type for OAuth 2 apps

2026-04-24 00:41:48 -05:00 · 2019-05-28 14:22:57 -04:00
parent 41f2b83ae2
commit cb279843d2
7 changed files with 28 additions and 97 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1108,7 +1108,7 @@ class UserAuthorizedTokenSerializer(BaseOAuth2TokenSerializer):
        )
        obj = super(UserAuthorizedTokenSerializer, self).create(validated_data)
        obj.save()
-        if obj.application and obj.application.authorization_grant_type != 'implicit':
+        if obj.application:
            RefreshToken.objects.create(
                user=current_user,
                token=generate_token(),
@@ -1130,7 +1130,7 @@ class OAuth2TokenSerializer(BaseOAuth2TokenSerializer):
        if obj.application and obj.application.user:
            obj.user = obj.application.user
        obj.save()
-        if obj.application and obj.application.authorization_grant_type != 'implicit':
+        if obj.application:
            RefreshToken.objects.create(
                user=current_user,
                token=generate_token(),
--- a/awx/api/templates/api/api_o_auth_authorization_root_view.md
+++ b/awx/api/templates/api/api_o_auth_authorization_root_view.md
@@ -29,17 +29,6 @@ to the redirect_uri specified in the application. The client application will th
 AWX will respond with the `access_token`, `token_type`, `refresh_token`, and `expires_in`. For more
 information on testing this flow, refer to [django-oauth-toolkit](http://django-oauth-toolkit.readthedocs.io/en/latest/tutorial/tutorial_01.html#test-your-authorization-server).

-## Create Token for an Application using Implicit grant type
-Suppose we have an application "admin's app" of grant type `implicit`.
-In API browser, first make sure the user is logged in via session auth, then visit authorization
-endpoint with given parameters:
-```text
-http://localhost:8013/api/o/authorize/?response_type=token&client_id=L0uQQWW8pKX51hoqIRQGsuqmIdPi2AcXZ9EJRGmj&scope=read
-```
-Here the value of `client_id` should be the same as that of `client_id` field of underlying application.
-On success, an authorization page should be displayed asking the logged in user to grant/deny the access token.
-Once the user clicks on 'grant', the API browser will try POSTing to the same endpoint with the same parameters 
-in POST body, on success a 302 redirect will be returned.  

 ## Create Token for an Application using Password grant type