...
Note: The confusion over "active"/"inactive" versus "email-verified"/"non-verified" users strives from the fact that the "is_active" field on a user object is dual-purposed for both user states: email verification (user-initiated) and user deactivation (devOps-initiated). This means that if we do deactivate users (devOps-initiated), that would also be bypassed by OAuth2AuthenticationAllowInactiveUser.
OAuth2 Access Tokens
The mobile app obtains an edX-issued access token in either of the following ways:
...