summaryrefslogtreecommitdiff
path: root/doc/api/oauth2.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/api/oauth2.md')
-rw-r--r--doc/api/oauth2.md14
1 files changed, 7 insertions, 7 deletions
diff --git a/doc/api/oauth2.md b/doc/api/oauth2.md
index b1c81ff20b6..50d063bdf71 100644
--- a/doc/api/oauth2.md
+++ b/doc/api/oauth2.md
@@ -59,7 +59,7 @@ authorization with each flow.
### Web application flow
-NOTE: **Note:**
+NOTE:
Check the [RFC spec](https://tools.ietf.org/html/rfc6749#section-4.1) for a
detailed flow description.
@@ -105,7 +105,7 @@ The web application flow is:
}
```
-NOTE: **Note:**
+NOTE:
The `redirect_uri` must match the `redirect_uri` used in the original
authorization request.
@@ -113,11 +113,11 @@ You can now make requests to the API with the access token returned.
### Implicit grant flow
-NOTE: **Note:**
+NOTE:
Check the [RFC spec](https://tools.ietf.org/html/rfc6749#section-4.2) for a
detailed flow description.
-CAUTION: **Important:**
+WARNING:
Avoid using this flow for applications that store data outside of the GitLab
instance. If you do, make sure to verify `application id` associated with the
access token before granting access to the data
@@ -149,11 +149,11 @@ https://example.com/oauth/redirect#access_token=ABCDExyz123&state=YOUR_UNIQUE_ST
### Resource owner password credentials flow
-NOTE: **Note:**
+NOTE:
Check the [RFC spec](https://tools.ietf.org/html/rfc6749#section-4.3) for a
detailed flow description.
-NOTE: **Note:**
+NOTE:
The Resource Owner Password Credentials is disabled for users with [two-factor
authentication](../user/profile/account/two_factor_authentication.md) turned on.
These users can access the API using [personal access tokens](../user/profile/personal_access_tokens.md)
@@ -169,7 +169,7 @@ The credentials should only be used when:
privileged application.
- Other authorization grant types are not available (such as an authorization code).
-CAUTION: **Important:**
+WARNING:
Never store the user's credentials and only use this grant type when your client
is deployed to a trusted environment, in 99% of cases
[personal access tokens](../user/profile/personal_access_tokens.md) are a better