summaryrefslogtreecommitdiff
path: root/doc/api/oauth2.md
diff options
context:
space:
mode:
authorTimothy Andrew <mail@timothyandrew.net>2016-06-21 11:03:50 +0530
committerTimothy Andrew <mail@timothyandrew.net>2016-06-27 13:48:55 +0530
commitf7fc352b4a54c5b86a47a5e447aefbb40558a2cd (patch)
tree85c0741840f5d71e7e9e719706189c9d0ea4aa39 /doc/api/oauth2.md
parent5804b6a0a28a20b1977ab89e04b15b85475b49e0 (diff)
downloadgitlab-ce-f7fc352b4a54c5b86a47a5e447aefbb40558a2cd.tar.gz
Add notices about disabling auth features for users with 2FA.2979-document-2fa-auth-changes
Diffstat (limited to 'doc/api/oauth2.md')
-rw-r--r--doc/api/oauth2.md9
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/api/oauth2.md b/doc/api/oauth2.md
index d416a826f79..31902e145f6 100644
--- a/doc/api/oauth2.md
+++ b/doc/api/oauth2.md
@@ -65,6 +65,13 @@ curl -H "Authorization: Bearer OAUTH-TOKEN" https://localhost:3000/api/v3/user
## Resource Owner Password Credentials
+## Deprecation Notice
+
+1. Starting in GitLab 9.0, the Resource Owner Password Credentials will be *disabled* for users with two-factor authentication turned on.
+2. These users can access the API using [personal access tokens] instead.
+
+---
+
In this flow, a token is requested in exchange for the resource owner credentials (username and password).
The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g. the
client is part of the device operating system or a highly privileged application), and when other authorization grant types are not
@@ -100,3 +107,5 @@ client = OAuth2::Client.new('the_client_id', 'the_client_secret', :site => "http
access_token = client.password.get_token('user@example.com', 'sekret')
puts access_token.token
```
+
+[personal access tokens]: ./README.md#personal-access-tokens