From dca7e03b919eda8e1ea052c08c73d768b8e95ef3 Mon Sep 17 00:00:00 2001
From: Joe Grandja <jgrandja@vmware.com>
Date: Fri, 9 Apr 2021 07:46:21 -0400
Subject: [PATCH] Deprecate OAuth2AuthorizationResponseType.TOKEN

Closes gh-9582
---
 .../endpoint/OAuth2AuthorizationResponseType.java     | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseType.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseType.java
index 4415429058..e71aaa182e 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseType.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseType.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,6 +43,15 @@ public final class OAuth2AuthorizationResponseType implements Serializable {
 
 	public static final OAuth2AuthorizationResponseType CODE = new OAuth2AuthorizationResponseType("code");
 
+	/**
+	 * It is not recommended to use the implicit flow due to the inherent risks of
+	 * returning access tokens in an HTTP redirect without any confirmation that it has
+	 * been received by the client.
+	 *
+	 * @see <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0
+	 * Implicit Grant</a>
+	 */
+	@Deprecated
 	public static final OAuth2AuthorizationResponseType TOKEN = new OAuth2AuthorizationResponseType("token");
 
 	private final String value;