Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape.
token_type_hint when searching for access token in TokensController to avoid extra database calls.[#1551] Change lazy loading for ORM to be Ruby standard autoload.
[#1552] Remove duplicate IDs on Auth form to improve accessibility.
[#1542] Improve performance of Doorkeeper::AccessToken#matching_token_for using database specific SQL time math.
[IMPORTANT]: API of the Doorkeeper::AccessToken#matching_token_for method has changed and now it returns
only active access tokens (previously they were just not revoked). Please remember that the idea of the
reuse_access_token option is to check for existing active token (see configuration option description).
redirect_uri as per the spec.doorkeeper.errors.messages.forbidden_token.missing_scope.strict-loading for Doorkeeper models by default.old_refresh_token if previous_refresh_token is present.respond_to undefined in API-only modeconfig.skip_client_authentication_for_password_grant is set and the client credentials
are sent in a HTTP Basic auth header.TokenInfoController to be overridable (extract response rendering).[#1473] Enable Applications and AuthorizedApplications controllers in API mode.
[IMPORTANT] you can still skip these controllers using skip_controllers in
use_doorkeeper inside routes.rb. Please do it in case you don't need them.
[#1472] Fix establish_connection configuration for custom defined models.
[#1471] Add support for Ruby 3.0.
[#1469] Check if redirect_uri exists.
[#1465] Memoize nil doorkeeper_token.
[#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
[#1457] Make owner_id a bigint for newly-generated owner migrations
[#1452] Empty previous_refresh_token only if present.
[#1440] Validate empty host in redirect_uri.
[#1438] Add form post response mode.
[#1458] Make config.skip_client_authentication_for_password_grant a long term configuration option.
[#1435] Make error response not redirectable when client is unauthorized
[#1426] Ensure ActiveRecord callbacks are executed on token revocation.
[#1407] Remove redundant and complex to support helpers froms tests (should_have_json, etc).
[#1416] Don't add introspection route if token introspection completely disabled.
[#1410] Properly memoize current_resource_owner value (consider nil and false values).
[#1415] Ignore PKCE params for non-PKCE grants.
[#1418] Add ability to register custom OAuth Grant Flows.
[#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
[IMPORTANT] you need to create a new OAuth client (Doorkeeper::Application) if yoo didn't
have it before and use client credentials in HTTP Basic auth if you previously used this grant
flow without client authentication. For migration purposes you could enable
skip_client_authentication_for_password_grant configuration option to true, but such behavior
(as well as configuration option) would be completely removed in a future version of Doorkeeper.
All the users of your provider application now need to include client credentials when they use
this grant flow.
[#1421] Add Resource Owner instance to authorization hook context for custom_access_token_expires_in
configuration option to allow resource owner based Access Tokens TTL.
Doorkeeper::Application#read_attribute_for_serialization public.