The OTK supports the implicit grant type of the OAuth 2.0 framework. However, how should this (rather insecure) grant type be disabled? I know about the encapsulated assertion OTK Configured Grant Types, but the implicit grant type is not configurable there. Should I turn it off specifically in the authorize-endpoint?
you would need to customize /auth/oauth/v2/authorize endpoint,
Try to find "OTK response_type=TOKEN" in authorize endpoint, and then disable the parent "All assertion ..." branch.
The test client /oauth/v2/client/implicit should return error message,
"The request was invalid. Please try again."