diff --git a/dashboard/authcallback.html b/dashboard/authcallback.html
index 43fbf378e..a098cd368 100644
--- a/dashboard/authcallback.html
+++ b/dashboard/authcallback.html
@@ -2,6 +2,7 @@
 
 var tmp = window.location.hash.slice(1).split('&');
 
+// FIXME: implicit flow (response_type=code token) results in access_token query param. this is not secure
 tmp.forEach(function (pair) {
     if (pair.indexOf('access_token=') === 0) localStorage.token = pair.split('=')[1];
 });
diff --git a/src/oidcserver.js b/src/oidcserver.js
index 3208c3f00..abfa8d9dc 100644
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -39,12 +39,15 @@ const assert = require('assert'),
     groups = require('./groups.js'),
     util = require('util');
 
-// Index.vue starts the OIDC flow by navigating to /openid/auth. OIDC logic redirects to login.html // which is rendered by
-// renderInteractionPage() with the submitUrl /interaction/:uid/login
-// When submitted, it invokes interactionLogin() and validates user creds. At this point,// a grant is created by loadExistingGrant.
-// For webadmin, we issue a grant with scopes and this skips // the confirmation flow. For apps (for no specific reason), we continue
-// with confirmation flow which is rendered by renderInteractionPage() . The consent page renders oidc_interaction_confirm.html
-// which immediately auto submits without user interaction. The page calls interactionConfirm() which finishes it via interactionFinished().
+// 1. Index.vue starts the OIDC flow by navigating to /openid/auth. Webadmin sets callback url to authcallback.html + implicit flow
+// 2. oidcserver starts an interaction and redirects to login.html
+// 3. login.html is rendered by renderInteractionPage() with the form submit url /interaction/:uid/login
+// 4. When form is submitted, it invokes interactionLogin(). This validates user creds
+// 5. We enter the scopes confirmation flow which is oidc_interaction_confirm.html rendered by renderInteractionPage()
+// 6. We have no concept of confirmation. The page auto-submits the form immediately without user interaction
+// 7. oidcserver calls interactionConfirm() which finishes it via interactionFinished().
+
+// FIXME: webadmin's implicit flow (response_type=code token) results in authcallback.html being called with access_token query param. We should remove this
 
 const ROUTE_PREFIX = '/openid';
 
@@ -617,18 +620,8 @@ async function start() {
 
             if (grantId) return await ctx.oidc.provider.Grant.find(grantId);
 
-            // create a grant with scopes to skip the consent dialog (https://github.com/panva/node-oidc-provider/discussions/1307)
-            if (ctx.oidc.client.clientId === oidcClients.ID_WEBADMIN || ctx.oidc.client.clientId === oidcClients.ID_DEVELOPMENT) {
-                const grant = new ctx.oidc.provider.Grant({
-                    clientId: ctx.oidc.client.clientId,
-                    accountId: ctx.oidc.session.accountId,
-                });
-
-                grant.addOIDCScope('openid email profile groups');
-                await grant.save();
-
-                return grant;
-            }
+            // if required, we can skip the consent screen altogether. See https://github.com/panva/node-oidc-provider/discussions/1307 . but then we have to raise login events here
+            return null;
         },
         // https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#issuerefreshtoken
         async issueRefreshToken(ctx, client, code) {