A warning should be added about removing custom OAuth2 grant types

[Tharanidk]

Description

When you remove a custom grant type from deployment.toml, any existing OAuth applications that used that grant still keep it in their client settings. Later actions, like changing the application owner, can then fail with “grant type is not allowed,” and may leave data in an inconsistent state.

The docs currently don’t warn admins to clean up affected apps first. We should add a clear warning:

• Before removing a custom grant type, find all applications that use it and update those apps to remove or replace the grant (preferably via the Key Manager / client registration update APIs).

• Only after that, remove the grant from deployment.toml.

If this step is skipped, operations such as application updates or ownership changes can fail and cause inconsistencies between the Service Provider and Application tables.

Suggested Fix

Related documentation : https://apim.docs.wso2.com/en/4.1.0/reference/customize-product/extending-api-manager/extending-key-management/writing-custom-grant-types/

Version(s)

4.1.0

[wso2-engineering-bot]

@wso2-engineering-bot create a PR for this issue following repo conventions