don't allow OAuth2 token creation for "external" users

see: https://github.com/ansible/tower/issues/2326

awx/api/urls/oauth2_root.py

@@ -3,16 +3,29 @@
 
 from django.conf.urls import url
 
-from oauth2_provider.urls import base_urlpatterns
+from oauthlib import oauth2
+from oauth2_provider import views
 
 from awx.api.views import (
     ApiOAuthAuthorizationRootView,
 )
 
 
+class TokenView(views.TokenView):
+
+    def create_token_response(self, request):
+        try:
+            return super(TokenView, self).create_token_response(request)
+        except oauth2.AccessDeniedError as e:
+            return request.build_absolute_uri(), {}, str(e), '403'
+
+
 urls = [
     url(r'^$', ApiOAuthAuthorizationRootView.as_view(), name='oauth_authorization_root_view'),
-] + base_urlpatterns
+    url(r"^authorize/$", views.AuthorizationView.as_view(), name="authorize"),
+    url(r"^token/$", TokenView.as_view(), name="token"),
+    url(r"^revoke_token/$", views.RevokeTokenView.as_view(), name="revoke-token"),
+]
 
 
 __all__ = ['urls']