Deprecate Implicit Grant

Fixes gh-8013

docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc

@@ -1082,7 +1082,7 @@ The supported values are *basic*, *post* and *none* https://tools.ietf.org/html/
 [[nsa-client-registration-authorization-grant-type]]
 * **authorization-grant-type**
 The OAuth 2.0 Authorization Framework defines four https://tools.ietf.org/html/rfc6749#section-1.3[Authorization Grant] types.
-The supported values are `authorization_code`, `client_credentials`, `password` and `implicit`.
+The supported values are `authorization_code`, `client_credentials` and `password`.
 
 
 [[nsa-client-registration-redirect-uri]]

docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc

@@ -135,7 +135,7 @@ public final class ClientRegistration {
 <4> `clientAuthenticationMethod`: The method used to authenticate the Client with the Provider.
 The supported values are *basic*, *post* and *none* https://tools.ietf.org/html/rfc6749#section-2.1[(public clients)].
 <5> `authorizationGrantType`: The OAuth 2.0 Authorization Framework defines four https://tools.ietf.org/html/rfc6749#section-1.3[Authorization Grant] types.
- The supported values are `authorization_code`, `client_credentials`, `password` and `implicit`.
+ The supported values are `authorization_code`, `client_credentials` and `password`.
 <6> `redirectUriTemplate`: The client's registered redirect URI that the _Authorization Server_ redirects the end-user's user-agent
  to after the end-user has authenticated and authorized access to the client.
 <7> `scopes`: The scope(s) requested by the client during the Authorization Request flow, such as openid, email, or profile.

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java

@@ -36,7 +36,17 @@ import java.io.Serializable;
 public final class AuthorizationGrantType implements Serializable {
 	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 	public static final AuthorizationGrantType AUTHORIZATION_CODE = new AuthorizationGrantType("authorization_code");
+
+	/**
+	 * It is not recommended to use the implicit flow
+	 * due to the inherent risks of returning access tokens in an HTTP redirect
+	 * without any confirmation that it has been received by the client.
+	 *
+	 * @see <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0 Implicit Grant</a>
+	 */
+	@Deprecated
 	public static final AuthorizationGrantType IMPLICIT = new AuthorizationGrantType("implicit");
+
 	public static final AuthorizationGrantType REFRESH_TOKEN = new AuthorizationGrantType("refresh_token");
 	public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");
 	public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password");

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java

@@ -186,8 +186,13 @@ public final class OAuth2AuthorizationRequest implements Serializable {
 	/**
 	 * Returns a new {@link Builder}, initialized with the implicit grant type.
 	 *
+	 * @deprecated It is not recommended to use the implicit flow
+	 * due to the inherent risks of returning access tokens in an HTTP redirect
+	 * without any confirmation that it has been received by the client.
+	 * @see <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0 Implicit Grant</a>
 	 * @return the {@link Builder}
 	 */
+	@Deprecated
 	public static Builder implicit() {
 		return new Builder(AuthorizationGrantType.IMPLICIT);
 	}