Implicit flow enabled by default for every client

[marekm4]

Hi guys, I have a question about implicit flow. I'm a little confused because I can see that other people tried to use this flow on /token endpoint and failed. And it was said that your library doesn't support public clients. But actually implicit flow doesn't use /token endpoint. It's based on request to /auth with parameter "response_type" set to "token".

You are using friendsofsymfony/oauth2-php library which is supporting this flow and the only check that it's doing is checking if storage implements IOAuth2GrantImplicit. You added this interface to OAuthStorage and with this setup I guess it's always possible for every client with "authorization_code" grant type enabled to add "response_type=token" and use implicit flow.

Is there any way to disable it that I can't see or every client by default has implicit flow enabled? Because that doesn't look like secure default configuration.