Currently, we can get the oauth2Grant.jsp page without being authenticated.
This is not a security issue since the POST to /oauth2/authorize_submit is protected by the authentication filter.
Yet, once logged in, a GET is called on /oauth2/authorize_submit that leads to a 404. By putting oauth2Grant.jsp behind the authentication filter, the POST will return an OAuth 2 error due to the missing parameters which is better.
Moreover, calling a GET on /oauth2/authorize_submit should return an OAuth 2 error page with the status code 405 Method Not Allowed.
Currently, this scenario leads to a 404:
- Log in Nuxeo on the Chrome mobile browser
- Open in app, we are logged in so we get the OAuth 2 grant page directly
- Log out from Nuxeo in Chrome
- In the app click on grant
- Log in Nuxeo within the app
Having an OAuth 2 error page will be better.
Same thing for /oauth2/token.