All Versions
98
Latest Version
Avg Release Cycle
61 days
Latest Release
-

Changelog History
Page 1

  • v5.6.0.rc1 Changes

    • ๐Ÿ’Ž [#1551] Change lazy loading for ORM to be Ruby standard autoload.
    • ๐Ÿšš [#1552] Remove duplicate IDs on Auth form to improve accessibility.
    • [#1542] Improve performance of Doorkeeper::AccessToken#matching_token_for using database specific SQL time math.

    [IMPORTANT]: API of the Doorkeeper::AccessToken#matching_token_for method has changed and now it returns only active access tokens (previously they were just not revoked). Please remember that the idea of the reuse_access_token option is to check for existing active token (see configuration option description).

  • v5.5.4 Changes

    • โช [#1535] Revert changes introduced in #1528 to allow query params in redirect_uri as per the spec.
  • v5.5.3 Changes

    • [#1528] Don't allow extra query params in redirect_uri.
    • [#1525] I18n source for forbidden token error is now doorkeeper.errors.messages.forbidden_token.missing_scope.
    • 0๏ธโƒฃ [#1531] Disable strict-loading for Doorkeeper models by default.
    • ๐Ÿš… [#1532] Add support for Rails 7.
  • v5.5.2 Changes

    • ๐Ÿ’Ž [#1502] Drop support for Ruby 2.4 because of EOL.
    • ๐Ÿ“š [#1504] Updated the url fragment in the comment for code documentation.
    • [#1512] Fix form behavior when response mode is form_post.
    • [#1511] Fix that authorization code is returned by fragment if response_mode is fragament.
  • v5.5.1 Changes

    • [#1496] Revoke old_refresh_token if previous_refresh_token is present.
    • [#1495] Fix respond_to undefined in API-only mode
    • [#1488] Verify client authentication for Resource Owner Password Grant when config.skip_client_authentication_for_password_grant is set and the client credentials are sent in a HTTP Basic auth header.
  • v5.5.0 Changes

    • [#1482] Simplify TokenInfoController to be overridable (extract response rendering).
    • ๐Ÿ”ง [#1478] Fix ownership association and Rake tasks when custom models configured.
    • [#1477] Respect ActiveRecord::Base.pluralize_table_names for Doorkeeper table names.
  • v5.5.0.rc2 Changes

    • [#1473] Enable Applications and AuthorizedApplications controllers in API mode.

    [IMPORTANT] you can still skip these controllers using skip_controllers in use_doorkeeper inside routes.rb. Please do it in case you don't need them.

    • ๐Ÿ”ง [#1472] Fix establish_connection configuration for custom defined models.
    • ๐Ÿ’Ž [#1471] Add support for Ruby 3.0.
    • [#1469] Check if redirect_uri exists.
    • [#1465] Memoize nil doorkeeper_token.
    • ๐Ÿšš [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
    • [#1457] Make owner_id a bigint for newly-generated owner migrations
    • [#1452] Empty previous_refresh_token only if present.
    • [#1440] Validate empty host in redirect_uri.
    • [#1438] Add form post response mode.
    • [#1458] Make config.skip_client_authentication_for_password_grant a long term configuration option.
  • v5.5.0.rc1 Changes

    August 04, 2020

    [#1435] Make error response not redirectable when client is unauthorized

    [#1426] Ensure ActiveRecord callbacks are executed on token revocation.

    [#1407] Remove redundant and complex to support helpers froms tests (should_have_json, etc).

    [#1416] Don't add introspection route if token introspection completely disabled.

    [#1410] Properly memoize current_resource_owner value (consider nil and false values).

    [#1415] Ignore PKCE params for non-PKCE grants.

    [#1418] Add ability to register custom OAuth Grant Flows.

    [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.

    [IMPORTANT] you need to create a new OAuth client (Doorkeeper::Application) if yoo didn't
    have it before and use client credentials in HTTP Basic auth if you previously used this grant
    flow without client authentication. For migration purposes you could enable
    skip_client_authentication_for_password_grant configuration option to true, but such behavior
    ๐Ÿ”ง (as well as configuration option) would be completely removed in a future version of Doorkeeper.
    All the users of your provider application now need to include client credentials when they use
    this grant flow.

    [#1421] Add Resource Owner instance to authorization hook context for custom_access_token_expires_in
    ๐Ÿ”ง configuration option to allow resource owner based Access Tokens TTL.

  • v5.4.0 Changes

    May 11, 2020
    • [#1404] Make Doorkeeper::Application#read_attribute_for_serialization public.
  • v5.4.0.rc2 Changes

    May 02, 2020

    [#1371] Add #as_json method and attributes serialization restriction for Application model.
    ๐Ÿ›  Fixes information disclosure vulnerability (CVE-2020-10187).

    [IMPORTANT] you need to re-implement #as_json method for Doorkeeper Application model
    if you previously used #to_json serialization with custom options or attributes or rely on
    JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
    is a breaking change which restricts serialized attributes to a very small set of columns.

    [#1395] Fix NameError: uninitialized constant Doorkeeper::AccessToken for Rake tasks.

    ๐Ÿ‘ [#1397] Add as: :doorkeeper_application on Doorkeeper application form in order to support
    ๐Ÿ”ง custom configured application model.

    [#1400] Correctly yield the application instance to allow_grant_flow_for_client? config
    ๐Ÿ›  option (fixes #1398).

    [#1402] Handle trying authorization with client credentials.