doorkeeper 5.1.0 → 5.2.0

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -7,7 +7,7 @@ module Doorkeeper
     # @see https://tools.ietf.org/html/rfc7662
     class TokenIntrospection
       attr_reader :server, :token
-      attr_reader :error
+      attr_reader :error, :invalid_request_reason
 
       def initialize(server, token)
         @server = server
@@ -25,6 +25,8 @@ module Doorkeeper
 
         if @error == :invalid_token
           OAuth::InvalidTokenResponse.from_access_token(authorized_token)
+        elsif @error == :invalid_request
+          OAuth::InvalidRequestResponse.from_request(self)
         else
           OAuth::ErrorResponse.new(name: @error)
         end
@@ -67,9 +69,10 @@ module Doorkeeper
           #  HTTP 401 code as described in Section 3 of OAuth 2.0 Bearer Token
           #  Usage [RFC6750].
           #
-          @error = :invalid_token if authorized_token_matches_introspected? || !authorized_token.accessible?
+          @error = :invalid_token unless valid_authorized_token?
         else
           @error = :invalid_request
+          @invalid_request_reason = :request_not_authorized
         end
       end
 
@@ -80,8 +83,7 @@ module Doorkeeper
 
       # Bearer Token Authentication
       def authorized_token
-        @authorized_token ||=
-          OAuth::Token.authenticate(server.context.request, :from_bearer_authorization)
+        @authorized_token ||= Doorkeeper.authenticate(server.context.request)
       end
 
       # 2.2. Introspection Response
@@ -150,7 +152,7 @@ module Doorkeeper
       #
       def active?
         if authorized_client
-          valid_token? && authorized_for_client?
+          valid_token? && token_introspection_allowed?(auth_client: authorized_client.application)
         else
           valid_token?
         end
@@ -161,19 +163,27 @@ module Doorkeeper
         @token&.accessible?
       end
 
+      def valid_authorized_token?
+        !authorized_token_matches_introspected? &&
+          authorized_token.accessible? &&
+          token_introspection_allowed?(auth_token: authorized_token)
+      end
+
       # RFC7662 Section 2.1
       def authorized_token_matches_introspected?
         authorized_token.token == @token&.token
       end
 
-      # If token doesn't belong to some client, then it is public.
-      # Otherwise in it required for token to be connected to the same client.
-      def authorized_for_client?
-        if @token.application
-          @token.application == authorized_client.application
-        else
-          true
-        end
+      # config constraints for introspection in Doorkeeper.configuration.allow_token_introspection
+      def token_introspection_allowed?(auth_client: nil, auth_token: nil)
+        allow_introspection = Doorkeeper.configuration.allow_token_introspection
+        return allow_introspection unless allow_introspection.respond_to?(:call)
+
+        allow_introspection.call(
+          @token,
+          auth_client,
+          auth_token
+        )
       end
 
       # Allows to customize introspection response.

data/lib/doorkeeper/oauth/token_request.rb

@@ -11,28 +11,14 @@ module Doorkeeper
       end
 
       def authorize
-        if pre_auth.authorizable?
-          auth = Authorization::Token.new(pre_auth, resource_owner)
-          auth.issue_token
-          @response = CodeResponse.new pre_auth,
-                                       auth,
-                                       response_on_fragment: true
-        else
-          @response = error_response
-        end
+        auth = Authorization::Token.new(pre_auth, resource_owner)
+        auth.issue_token
+        CodeResponse.new(pre_auth, auth, response_on_fragment: true)
       end
 
       def deny
         pre_auth.error = :access_denied
-        error_response
-      end
-
-      private
-
-      def error_response
-        ErrorResponse.from_request pre_auth,
-                                   redirect_uri: pre_auth.redirect_uri,
-                                   response_on_fragment: true
+        pre_auth.error_response
       end
     end
   end

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -16,7 +16,7 @@ module Doorkeeper
               :redirect_uri,
               presence: true
 
-    validates :token, uniqueness: true
+    validates :token, uniqueness: { case_sensitive: true }
 
     before_validation :generate_token, on: :create
 

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -9,8 +9,8 @@ module Doorkeeper
     belongs_to :application, class_name: "Doorkeeper::Application",
                              inverse_of: :access_tokens, optional: true
 
-    validates :token, presence: true, uniqueness: true
-    validates :refresh_token, uniqueness: true, if: :use_refresh_token?
+    validates :token, presence: true, uniqueness: { case_sensitive: true }
+    validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
 
     # @attr_writer [Boolean, nil] use_refresh_token
     #   indicates the possibility of using refresh token

data/lib/doorkeeper/orm/active_record/application.rb

@@ -10,8 +10,8 @@ module Doorkeeper
     has_many :access_tokens, dependent: :delete_all, class_name: "Doorkeeper::AccessToken"
 
     validates :name, :secret, :uid, presence: true
-    validates :uid, uniqueness: true
-    validates :redirect_uri, redirect_uri: true
+    validates :uid, uniqueness: { case_sensitive: true }
+    validates :redirect_uri, "doorkeeper/redirect_uri": true
     validates :confidential, inclusion: { in: [true, false] }
 
     validate :scopes_match_configured, if: :enforce_scopes?
@@ -60,6 +60,12 @@ module Doorkeeper
       end
     end
 
+    def to_json(options)
+      serializable_hash(except: :secret)
+        .merge(secret: plaintext_secret)
+        .to_json(options)
+    end
+
     private
 
     def generate_uid

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module Doorkeeper
+  # ActiveModel validator for redirect URI validation in according
+  # to OAuth standards and Doorkeeper configuration.
+  class RedirectUriValidator < ActiveModel::EachValidator
+    def validate_each(record, attribute, value)
+      if value.blank?
+        return if Doorkeeper.configuration.allow_blank_redirect_uri?(record)
+
+        record.errors.add(attribute, :blank)
+      else
+        value.split.each do |val|
+          next if oob_redirect_uri?(val)
+
+          uri = ::URI.parse(val)
+          record.errors.add(attribute, :forbidden_uri) if forbidden_uri?(uri)
+          record.errors.add(attribute, :fragment_present) unless uri.fragment.nil?
+          record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
+          record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
+          record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
+        end
+      end
+    rescue URI::InvalidURIError
+      record.errors.add(attribute, :invalid_uri)
+    end
+
+    private
+
+    def oob_redirect_uri?(uri)
+      Doorkeeper::OAuth::NonStandard::IETF_WG_OAUTH2_OOB_METHODS.include?(uri)
+    end
+
+    def forbidden_uri?(uri)
+      Doorkeeper.configuration.forbid_redirect_uri.call(uri)
+    end
+
+    def unspecified_scheme?(uri)
+      return true if uri.opaque.present?
+
+      %w[localhost].include?(uri.try(:scheme))
+    end
+
+    def relative_uri?(uri)
+      uri.scheme.nil? && uri.host.nil?
+    end
+
+    def invalid_ssl_uri?(uri)
+      forces_ssl = Doorkeeper.configuration.force_ssl_in_redirect_uri
+      non_https = uri.try(:scheme) == "http"
+
+      if forces_ssl.respond_to?(:call)
+        forces_ssl.call(uri) && non_https
+      else
+        forces_ssl && non_https
+      end
+    end
+  end
+end

data/lib/doorkeeper/orm/active_record.rb

@@ -2,19 +2,27 @@
 
 require "active_support/lazy_load_hooks"
 
-require "doorkeeper/orm/active_record/stale_records_cleaner"
-
 module Doorkeeper
   module Orm
+    # ActiveRecord ORM for Doorkeeper entity models.
+    # Consists of three main OAuth entities:
+    #   * Access Token
+    #   * Access Grant
+    #   * Application (client)
+    #
+    # Do a lazy loading of all the required and configured stuff.
+    #
     module ActiveRecord
       def self.initialize_models!
         lazy_load do
+          require "doorkeeper/orm/active_record/stale_records_cleaner"
+          require "doorkeeper/orm/active_record/redirect_uri_validator"
           require "doorkeeper/orm/active_record/access_grant"
           require "doorkeeper/orm/active_record/access_token"
           require "doorkeeper/orm/active_record/application"
 
           if Doorkeeper.configuration.active_record_options[:establish_connection]
-            [Doorkeeper::AccessGrant, Doorkeeper::AccessToken, Doorkeeper::Application].each do |model|
+            Doorkeeper::Orm::ActiveRecord.models.each do |model|
               options = Doorkeeper.configuration.active_record_options[:establish_connection]
               model.establish_connection(options)
             end
@@ -33,6 +41,14 @@ module Doorkeeper
       def self.lazy_load(&block)
         ActiveSupport.on_load(:active_record, {}, &block)
       end
+
+      def self.models
+        [
+          Doorkeeper::AccessGrant,
+          Doorkeeper::AccessToken,
+          Doorkeeper::Application,
+        ]
+      end
     end
   end
 end

data/lib/doorkeeper/request/authorization_code.rb

@@ -17,6 +17,8 @@ module Doorkeeper
       private
 
       def grant
+        raise Errors::MissingRequiredParameter, :code if parameters[:code].blank?
+
         AccessGrant.by_token(parameters[:code])
       end
     end

data/lib/doorkeeper/request.rb

@@ -4,30 +4,25 @@ module Doorkeeper
   module Request
     class << self
       def authorization_strategy(response_type)
-        get_strategy(response_type, authorization_response_types)
-      rescue NameError
-        raise Errors::InvalidAuthorizationStrategy
+        build_strategy_class(response_type)
       end
 
       def token_strategy(grant_type)
+        raise Errors::MissingRequiredParameter, :grant_type if grant_type.blank?
+
         get_strategy(grant_type, token_grant_types)
       rescue NameError
         raise Errors::InvalidTokenStrategy
       end
 
-      def get_strategy(grant_or_request_type, available)
-        raise Errors::MissingRequestStrategy if grant_or_request_type.blank?
-        raise NameError unless available.include?(grant_or_request_type.to_s)
+      def get_strategy(grant_type, available)
+        raise NameError unless available.include?(grant_type.to_s)
 
-        build_strategy_class(grant_or_request_type)
+        build_strategy_class(grant_type)
       end
 
       private
 
-      def authorization_response_types
-        Doorkeeper.configuration.authorization_response_types
-      end
-
       def token_grant_types
         Doorkeeper.configuration.token_grant_types
       end

data/lib/doorkeeper/server.rb

@@ -10,12 +10,12 @@ module Doorkeeper
 
     def authorization_request(strategy)
       klass = Request.authorization_strategy strategy
-      klass.new self
+      klass.new(self)
     end
 
     def token_request(strategy)
       klass = Request.token_strategy strategy
-      klass.new self
+      klass.new(self)
     end
 
     # TODO: context should be the request
@@ -27,10 +27,6 @@ module Doorkeeper
       @client ||= OAuth::Client.authenticate(credentials)
     end
 
-    def client_via_uid
-      @client_via_uid ||= OAuth::Client.find(parameters[:client_id])
-    end
-
     def current_resource_owner
       context.send :current_resource_owner
     end

data/lib/doorkeeper/stale_records_cleaner.rb

@@ -5,12 +5,16 @@ module Doorkeeper
     CLEANER_CLASS = "StaleRecordsCleaner"
 
     def self.for(base_scope)
-      orm_adapter = "doorkeeper/orm/#{Doorkeeper.configuration.orm}".classify
+      orm_adapter = "doorkeeper/orm/#{configured_orm}".classify
 
       orm_cleaner = "#{orm_adapter}::#{CLEANER_CLASS}".constantize
       orm_cleaner.new(base_scope)
     rescue NameError
-      raise Doorkeeper::Errors::NoOrmCleaner, "'#{Doorkeeper.configuration.orm}' ORM has no cleaner!"
+      raise Doorkeeper::Errors::NoOrmCleaner, "'#{configured_orm}' ORM has no cleaner!"
+    end
+
+    def self.configured_orm
+      Doorkeeper.configuration.orm
     end
 
     def self.new(base_scope)

data/lib/doorkeeper/version.rb

@@ -8,7 +8,7 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 1
+    MINOR = 2
     TINY = 0
     PRE = nil
 

data/lib/doorkeeper.rb

@@ -52,6 +52,8 @@ require "doorkeeper/oauth/token"
 require "doorkeeper/oauth/token_introspection"
 require "doorkeeper/oauth/invalid_token_response"
 require "doorkeeper/oauth/forbidden_token_response"
+require "doorkeeper/oauth/invalid_request_response"
+require "doorkeeper/oauth/nonstandard"
 
 require "doorkeeper/secret_storing/base"
 require "doorkeeper/secret_storing/plain"
@@ -80,6 +82,8 @@ require "doorkeeper/stale_records_cleaner"
 
 require "doorkeeper/orm/active_record"
 
+# Main Doorkeeper namespace.
+#
 module Doorkeeper
   def self.authenticate(request, methods = Doorkeeper.configuration.access_token_methods)
     OAuth::Token.authenticate(request, *methods)

data/lib/generators/doorkeeper/previous_refresh_token_generator.rb

@@ -17,12 +17,12 @@ module Doorkeeper
     end
 
     def previous_refresh_token
-      if no_previous_refresh_token_column?
-        migration_template(
-          "add_previous_refresh_token_to_access_tokens.rb.erb",
-          "db/migrate/add_previous_refresh_token_to_access_tokens.rb"
-        )
-      end
+      return unless no_previous_refresh_token_column?
+
+      migration_template(
+        "add_previous_refresh_token_to_access_tokens.rb.erb",
+        "db/migrate/add_previous_refresh_token_to_access_tokens.rb"
+      )
     end
 
     private

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 Doorkeeper.configure do
-  # Change the ORM that doorkeeper will use (needs plugins)
+  # Change the ORM that doorkeeper will use (requires ORM extensions installed).
+  # Check the list of supported ORMs here: https://github.com/doorkeeper-gem/doorkeeper#orms
   orm :active_record
 
   # This block will be called to check whether the resource owner is authenticated or not.
@@ -9,7 +10,7 @@ Doorkeeper.configure do
     raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
     # Put your resource owner authentication logic here.
     # Example implementation:
-    #   User.find_by_id(session[:user_id]) || redirect_to(new_user_session_url)
+    #   User.find_by(id: session[:user_id]) || redirect_to(new_user_session_url)
   end
 
   # If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
@@ -39,18 +40,18 @@ Doorkeeper.configure do
   #
   # enforce_content_type
 
-  # Authorization Code expiration time (default 10 minutes).
+  # Authorization Code expiration time (default: 10 minutes).
   #
   # authorization_code_expires_in 10.minutes
 
-  # Access token expiration time (default 2 hours).
-  # If you want to disable expiration, set this to nil.
+  # Access token expiration time (default: 2 hours).
+  # If you want to disable expiration, set this to `nil`.
   #
   # access_token_expires_in 2.hours
 
   # Assign custom TTL for access tokens. Will be used instead of access_token_expires_in
   # option if defined. In case the block returns `nil` value Doorkeeper fallbacks to
-  # `access_token_expires_in` configuration option value. If you really need to issue a
+  # +access_token_expires_in+ configuration option value. If you really need to issue a
   # non-expiring access token (which is not recommended) then you need to return
   # Float::INFINITY from this block.
   #
@@ -65,12 +66,13 @@ Doorkeeper.configure do
   # end
 
   # Use a custom class for generating the access token.
-  # See https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+  # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-access-token-generator
   #
   # access_token_generator '::Doorkeeper::JWT'
 
-  # The controller Doorkeeper::ApplicationController inherits from.
-  # Defaults to ActionController::Base.
+  # The controller +Doorkeeper::ApplicationController+ inherits from.
+  # Defaults to +ActionController::Base+ unless +api_only+ is set, which changes the default to
+  # +ActionController::API+. The return value of this option must be a stringified class name.
   # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller
   #
   # base_controller 'ApplicationController'
@@ -128,11 +130,10 @@ Doorkeeper.configure do
   #
   # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt'
 
-  # When the above option is enabled,
-  # and a hashed token or secret is not found,
-  # you can allow to fall back to another strategy.
-  # For users upgrading doorkeeper and wishing to enable hashing,
-  # you will probably want to enable the fallback to plain tokens.
+  # When the above option is enabled, and a hashed token or secret is not found,
+  # you can allow to fall back to another strategy. For users upgrading
+  # doorkeeper and wishing to enable hashing, you will probably want to enable
+  # the fallback to plain tokens.
   #
   # This will ensure that old access tokens and secrets
   # will remain valid even if the hashing above is enabled.
@@ -141,8 +142,8 @@ Doorkeeper.configure do
 
   # Issue access tokens with refresh token (disabled by default), you may also
   # pass a block which accepts `context` to customize when to give a refresh
-  # token or not. Similar to `custom_access_token_expires_in`, `context` has
-  # the properties:
+  # token or not. Similar to +custom_access_token_expires_in+, `context` has
+  # the following properties:
   #
   # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
   # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
@@ -151,7 +152,7 @@ Doorkeeper.configure do
   # use_refresh_token
 
   # Provide support for an owner to be assigned to each registered application (disabled by default)
-  # Optional parameter confirmation: true (default false) if you want to enforce ownership of
+  # Optional parameter confirmation: true (default: false) if you want to enforce ownership of
   # a registered application
   # NOTE: you must also run the rails g doorkeeper:application_owner generator
   # to provide the necessary support
@@ -160,22 +161,22 @@ Doorkeeper.configure do
 
   # Define access token scopes for your provider
   # For more information go to
-  # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
+  # https://doorkeeper.gitbook.io/guides/ruby-on-rails/scopes
   #
   # default_scopes  :public
   # optional_scopes :write, :update
 
-  # Define scopes_by_grant_type to restrict only certain scopes for grant_type
+  # Allows to restrict only certain scopes for grant_type.
   # By default, all the scopes will be available for all the grant types.
   #
   # Keys to this hash should be the name of grant_type and
   # values should be the array of scopes for that grant type.
-  # Note: scopes should be from configured_scopes(i.e. deafult or optional)
+  # Note: scopes should be from configured_scopes (i.e. default or optional)
   #
   # scopes_by_grant_type password: [:write], client_credentials: [:update]
 
   # Forbids creating/updating applications with arbitrary scopes that are
-  # not in configuration, i.e. `default_scopes` or `optional_scopes`.
+  # not in configuration, i.e. +default_scopes+ or +optional_scopes+.
   # (disabled by default)
   #
   # enforce_configured_scopes
@@ -196,15 +197,6 @@ Doorkeeper.configure do
   #
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
-  # Change the native redirect uri for client apps
-  # When clients register with the following redirect uri, they won't be redirected to
-  # any server and the authorizationcode will be displayed within the provider
-  # The value can be any string. Use nil to disable this feature. When disabled, clients
-  # must providea valid URL
-  # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
-  #
-  # native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
-
   # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
   # by default in non-development environments). OAuth2 delegates security in
   # communication to the HTTPS protocol so it is wise to keep this enabled.
@@ -246,7 +238,7 @@ Doorkeeper.configure do
   # is invalid, expired, revoked or has invalid scopes.
   #
   # If you want to render error response yourself (i.e. rescue exceptions),
-  # set  handle_auth_errors to `:raise` and rescue Doorkeeper::Errors::InvalidToken
+  # set +handle_auth_errors+ to `:raise` and rescue Doorkeeper::Errors::InvalidToken
   # or following specific errors:
   #
   #   Doorkeeper::Errors::TokenForbidden, Doorkeeper::Errors::TokenExpired,
@@ -290,6 +282,37 @@ Doorkeeper.configure do
   #
   # grant_flows %w[authorization_code client_credentials]
 
+  # Allows to customize OAuth grant flows that +each+ application support.
+  # You can configure a custom block (or use a class respond to `#call`) that must
+  # return `true` in case Application instance supports requested OAuth grant flow
+  # during the authorization request to the server. This configuration +doesn't+
+  # set flows per application, it only allows to check if application supports
+  # specific grant flow.
+  #
+  # For example you can add an additional database column to `oauth_applications` table,
+  # say `t.array :grant_flows, default: []`, and store allowed grant flows that can
+  # be used with this application there. Then when authorization requested Doorkeeper
+  # will call this block to check if specific Application (passed with client_id and/or
+  # client_secret) is allowed to perform the request for the specific grant type
+  # (authorization, password, client_credentials, etc).
+  #
+  # Example of the block:
+  #
+  #   ->(flow, client) { client.grant_flows.include?(flow) }
+  #
+  # In case this option invocation result is `false`, Doorkeeper server returns
+  # :unauthorized_client error and stops the request.
+  #
+  # @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
+  # @return [Boolean] `true` if allow or `false` if forbid the request
+  #
+  # allow_grant_flow_for_client do |grant_flow, client|
+  #   # `grant_flows` is an Array column with grant
+  #   # flows that application supports
+  #
+  #   client.grant_flows.include?(grant_flow)
+  # end
+
   # Hook into the strategies' request & response life-cycle in case your
   # application needs advanced customization or logging:
   #
@@ -305,7 +328,7 @@ Doorkeeper.configure do
   # or add any other functionality.
   #
   # before_successful_authorization do |controller|
-  #   Rails.logger.info(params.inspect)
+  #   Rails.logger.info(controller.request.params.inspect)
   # end
   #
   # after_successful_authorization do |controller|
@@ -323,7 +346,61 @@ Doorkeeper.configure do
   #   client.superapp? or resource_owner.admin?
   # end
 
-  # WWW-Authenticate Realm (default "Doorkeeper").
+  # Configure custom constraints for the Token Introspection request.
+  # By default this configuration option allows to introspect a token by another
+  # token of the same application, OR to introspect the token that belongs to
+  # authorized client (from authenticated client) OR when token doesn't
+  # belong to any client (public token). Otherwise requester has no access to the
+  # introspection and it will return response as stated in the RFC.
+  #
+  # Block arguments:
+  #
+  # @param token [Doorkeeper::AccessToken]
+  #   token to be introspected
+  #
+  # @param authorized_client [Doorkeeper::Application]
+  #   authorized client (if request is authorized using Basic auth with
+  #   Client Credentials for example)
+  #
+  # @param authorized_token [Doorkeeper::AccessToken]
+  #   Bearer token used to authorize the request
+  #
+  # In case the block returns `nil` or `false` introspection responses with 401 status code
+  # when using authorized token to introspect, or you'll get 200 with { "active": false } body
+  # when using authorized client to introspect as stated in the
+  # RFC 7662 section 2.2. Introspection Response.
+  #
+  # Using with caution:
+  # Keep in mind that these three parameters pass to block can be nil as following case:
+  #  `authorized_client` is nil if and only if `authorized_token` is present, and vice versa.
+  #  `token` will be nil if and only if `authorized_token` is present.
+  # So remember to use `&` or check if it is present before calling method on
+  # them to make sure you doesn't get NoMethodError exception.
+  #
+  # You can define your custom check:
+  #
+  # allow_token_introspection do |token, authorized_client, authorized_token|
+  #   if authorized_token
+  #     # customize: require `introspection` scope
+  #     authorized_token.application == token&.application ||
+  #       authorized_token.scopes.include?("introspection")
+  #   elsif token.application
+  #     # `protected_resource` is a new database boolean column, for example
+  #     authorized_client == token.application || authorized_client.protected_resource?
+  #   else
+  #     # public token (when token.application is nil, token doesn't belong to any application)
+  #     true
+  #   end
+  # end
+  #
+  # Or you can completely disable any token introspection:
+  #
+  # allow_token_introspection false
+  #
+  # If you need to block the request at all, then configure your routes.rb or web-server
+  # like nginx to forbid the request.
+
+  # WWW-Authenticate Realm (default: "Doorkeeper").
   #
   # realm "Doorkeeper"
 end