Document OAuth2 limitations and requirements

Relates to #3464.
owncloud-archive · Jun 1, 2018 · fe0a521 · fe0a521
1 parent f9fbb78
commit fe0a521
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/admin_manual/configuration/server/security/oauth2.rst b/admin_manual/configuration/server/security/oauth2.rst
@@ -136,6 +136,9 @@ An access token is valid for 1 hour and can be refreshed with a refresh token.
 
 For further information about client registration, please refer to `the official access token response RFC from the IETF`_.
 
+.. note::
+   For a succinct explanation of the differences between access tokens and authorization codes, check out `this answer on StackOverflow`_.
+
 Installation
 ------------
 
@@ -149,6 +152,8 @@ If you are hosting your ownCloud installation from the Apache web server, then b
 Basic Configuration
 -------------------
 
+To enable token-only based app or client logins in ``config/config.php`` set ``token_auth_enforced`` to ``true``.
+
 Restricting Usage
 -----------------
 
@@ -180,4 +185,4 @@ Revoking Sessions
 .. _Client authentication: https://tools.ietf.org/html/rfc6749#section-2.3
 .. _mod_rewrite: http://httpd.apache.org/docs/current/mod/mod_rewrite.html
 .. _mod_headers: http://httpd.apache.org/docs/current/mod/mod_headers.html
-
+.. _this answer on StackOverflow: https://stackoverflow.com/a/16341985/222011