All Versions
Latest Version
Avg Release Cycle
61 days
Latest Release
9 days ago

Changelog History
Page 1

  • v5.5.0.rc1

    August 04, 2020

    [#1435] Make error response not redirectable when client is unauthorized

    [#1426] Ensure ActiveRecord callbacks are executed on token revocation.

    [#1407] Remove redundant and complex to support helpers froms tests (should_have_json, etc).

    [#1416] Don't add introspection route if token introspection completely disabled.

    [#1410] Properly memoize current_resource_owner value (consider nil and false values).

    [#1415] Ignore PKCE params for non-PKCE grants.

    [#1418] Add ability to register custom OAuth Grant Flows.

    [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.

    [IMPORTANT] you need to create a new OAuth client (Doorkeeper::Application) if yoo didn't
    have it before and use client credentials in HTTP Basic auth if you previously used this grant
    flow without client authentication. For migration purposes you could enable
    skip_client_authentication_for_password_grant configuration option to true, but such behavior
    🔧 (as well as configuration option) would be completely removed in a future version of Doorkeeper.
    All the users of your provider application now need to include client credentials when they use
    this grant flow.

    [#1421] Add Resource Owner instance to authorization hook context for custom_access_token_expires_in
    🔧 configuration option to allow resource owner based Access Tokens TTL.

  • v5.4.0

    May 11, 2020
    • [#1404] Make Doorkeeper::Application#read_attribute_for_serialization public.
  • v5.4.0.rc2

    May 02, 2020

    [#1371] Add #as_json method and attributes serialization restriction for Application model.
    🛠 Fixes information disclosure vulnerability (CVE-2020-10187).

    [IMPORTANT] you need to re-implement #as_json method for Doorkeeper Application model
    if you previously used #to_json serialization with custom options or attributes or rely on
    JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
    is a breaking change which restricts serialized attributes to a very small set of columns.

    [#1395] Fix NameError: uninitialized constant Doorkeeper::AccessToken for Rake tasks.

    👍 [#1397] Add as: :doorkeeper_application on Doorkeeper application form in order to support
    🔧 custom configured application model.

    [#1400] Correctly yield the application instance to allow_grant_flow_for_client? config
    🛠 option (fixes #1398).

    [#1402] Handle trying authorization with client credentials.

  • v5.4.0.rc1

    April 08, 2020

    🛠 [#1366] Sets expiry of token generated using refresh_token to that of original token. (Fixes #1364)

    [#1354] Add authorize_resource_owner_for_client option to authorize the calling user to access an application.

    [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
    models (use_polymorphic_resource_owner configuration option).

    [IMPORTANT] Review your custom patches or extensions for Doorkeeper internals if you
    have such - since now Doorkeeper passes Resource Owner instance to every objects and not
    👀 just it's ID. See PR description for details.

    🚚 [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.

    [#1357] Fix Doorkeeper::OAuth::PreAuthorization#as_json method causing
    Stack level too deep error with AMS (fix #1312).

    [#1358] Deprecate active_record_options configuration option.

    ♻️ [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
    in external extensions.

    [#1360] Increase matching_token_for lookup size to 10 000 and make it configurable.

    🔧 [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.

    🛠 [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).

    [IMPORTANT] now fully according to RFC 7009 nobody can do a revocation request without client_id
    ⚡️ (for public clients) and client_secret (for private clients). Please update your apps to include that
    🛰 info in the revocation request payload.

    [#1373] Make Doorkeeper routes mapper reusable in extensions.

    🔒 [#1374] Revoke and issue client credentials token in a transaction with a row lock.

    [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.

    [#1387] Add AccessToken#create_for and use in RefreshTokenRequest.

    [#1392] Fix enable_polymorphic_resource_owner migration template to have proper index name.

    [#1393] Improve Applications #show page with more informative data on client secret and scopes.

    💎 [#1394] Use Ruby autoload feature to load Doorkeeper files.

  • v5.3.3

    May 07, 2020
    • [#1404] Backport: Make Doorkeeper::Application#read_attribute_for_serialization public.
  • v5.3.2

    May 02, 2020
    • [#1371] Backport: Add #as_json method and attributes serialization restriction for Application model.
      🛠 Fixes information disclosure vulnerability (CVE-2020-10187).
  • v5.3.1

    February 09, 2020
    • [#1360] Backport: Increase matching_token_for batch lookup size to 10 000 and make it configurable.
  • v5.3.0

    January 29, 2020

    [#1339] Validate Resource Owner in PasswordAccessTokenRequest against nil and false values.

    [#1341] Fix refresh_token_revoked_on_use with hash_token_secrets enabled.

    ⚠ [#1343] Fix ruby 2.7 kwargs warning in InvalidTokenResponse.

    [#1345] Allow to set custom classes for Doorkeeper models, extract reusable AR mixins.

    [#1346] Refactor Doorkeeper::Application#to_json into convenient #as_json (fix #1344).

    [#1349] Fix Doorkeeper::Application AR associations using an incorrect foreign key name when using a custom class.

    0️⃣ [#1318] Make existing token revocation for client credentials optional and disable it by default.

    [IMPORTANT] This is a change compared to the behaviour of version 5.2. If you were relying on access tokens being revoked once the same client requested a new access token, reenable it with revoke_previous_client_credentials_token in Doorkeeper initialization file.

  • v5.2.6

    May 07, 2020
    • [#1404] Backport: Make Doorkeeper::Application#read_attribute_for_serialization public.
  • v5.2.5

    May 02, 2020
    • [#1371] Backport: Add #as_json method and attributes serialization restriction for Application model.
      🛠 Fixes information disclosure vulnerability (CVE-2020-10187).