diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-19 18:10:40 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-19 18:10:40 +0300 |
commit | a6508d0028191c42620414994b2fe4ce62467a73 (patch) | |
tree | 34461b887babb2778a286bb3c988bd9b3af8a3a1 /doc/api/oauth2.md | |
parent | f304336f5e0a200137bd87a3895f1bf20a61b1fb (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/api/oauth2.md')
-rw-r--r-- | doc/api/oauth2.md | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/doc/api/oauth2.md b/doc/api/oauth2.md index dfb91283b50..61eaf0f36d7 100644 --- a/doc/api/oauth2.md +++ b/doc/api/oauth2.md @@ -194,8 +194,10 @@ NOTE: For a detailed flow diagram, see the [RFC specification](https://tools.ietf.org/html/rfc6749#section-4.2). WARNING: -The Implicit grant flow is inherently insecure. The IETF plans to remove it in -[OAuth 2.1](https://oauth.net/2.1/). +Implicit grant flow is inherently insecure and the IETF has removed it in [OAuth 2.1](https://oauth.net/2.1/). +For this reason, [support for it is deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/288516). +In GitLab 14.0, new applications can't be created using it. In GitLab 14.4, support for it is +scheduled to be removed for existing applications. We recommend that you use [Authorization code with PKCE](#authorization-code-with-proof-key-for-code-exchange-pkce) instead. If you choose to use Implicit flow, be sure to verify the `application id` (or `client_id`) associated with the access token before granting |