Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape.
#as_json
method and attributes serialization restriction for Application model.
Fixes information disclosure vulnerability (CVE-2020-10187).#as_json
method and attributes serialization restriction for Application model.
Fixes information disclosure vulnerability (CVE-2020-10187).#as_json
method and attributes serialization restriction for Application model.
Fixes information disclosure vulnerability (CVE-2020-10187).[#1371] Add #as_json
method and attributes serialization restriction for Application model.
Fixes information disclosure vulnerability (CVE-2020-10187).
[IMPORTANT] you need to re-implement #as_json
method for Doorkeeper Application model
if you previously used #to_json
serialization with custom options or attributes or rely on
JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
is a breaking change which restricts serialized attributes to a very small set of columns.
[#1395] Fix NameError: uninitialized constant Doorkeeper::AccessToken
for Rake tasks.
[#1397] Add as: :doorkeeper_application
on Doorkeeper application form in order to support
custom configured application model.
[#1400] Correctly yield the application instance to allow_grant_flow_for_client?
config
option (fixes #1398).
[#1402] Handle trying authorization with client credentials.
[#1366] Sets expiry of token generated using refresh_token
to that of original token. (Fixes #1364)
[#1354] Add authorize_resource_owner_for_client
option to authorize the calling user to access an application.
[#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
models (use_polymorphic_resource_owner
configuration option).
[IMPORTANT] Review your custom patches or extensions for Doorkeeper internals if you have such - since now Doorkeeper passes Resource Owner instance to every objects and not just it's ID. See PR description for details.
[#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
[#1357] Fix Doorkeeper::OAuth::PreAuthorization#as_json
method causing
Stack level too deep
error with AMS (fix #1312).
[#1358] Deprecate active_record_options
configuration option.
[#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it in external extensions.
[#1360] Increase matching_token_for
lookup size to 10 000 and make it configurable.
[#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
[#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
[IMPORTANT] now fully according to RFC 7009 nobody can do a revocation request without client_id
(for public clients) and client_secret
(for private clients). Please update your apps to include that
info in the revocation request payload.
[#1373] Make Doorkeeper routes mapper reusable in extensions.
[#1374] Revoke and issue client credentials token in a transaction with a row lock.
[#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
[#1387] Add AccessToken#create_for
and use in RefreshTokenRequest
.
[#1392] Fix enable_polymorphic_resource_owner
migration template to have proper index name.
[#1393] Improve Applications #show page with more informative data on client secret and scopes.
[#1394] Use Ruby autoload
feature to load Doorkeeper files.
matching_token_for
batch lookup size to 10 000 and make it configurable.