doorkeeper 5.1.0 → 5.5.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of doorkeeper might be problematic. Click here for more details.

Files changed (265) hide show
  1. checksums.yaml +4 -4
  2. data/{NEWS.md → CHANGELOG.md} +242 -25
  3. data/README.md +21 -11
  4. data/app/controllers/doorkeeper/application_controller.rb +3 -2
  5. data/app/controllers/doorkeeper/application_metal_controller.rb +3 -2
  6. data/app/controllers/doorkeeper/applications_controller.rb +8 -7
  7. data/app/controllers/doorkeeper/authorizations_controller.rb +56 -19
  8. data/app/controllers/doorkeeper/authorized_applications_controller.rb +6 -6
  9. data/app/controllers/doorkeeper/token_info_controller.rb +12 -2
  10. data/app/controllers/doorkeeper/tokens_controller.rb +93 -25
  11. data/app/views/doorkeeper/applications/_form.html.erb +1 -7
  12. data/app/views/doorkeeper/applications/show.html.erb +35 -14
  13. data/app/views/doorkeeper/authorizations/form_post.html.erb +11 -0
  14. data/config/locales/en.yml +13 -3
  15. data/lib/doorkeeper/config/abstract_builder.rb +28 -0
  16. data/lib/doorkeeper/config/option.rb +20 -2
  17. data/lib/doorkeeper/config/validations.rb +53 -0
  18. data/lib/doorkeeper/config.rb +295 -121
  19. data/lib/doorkeeper/engine.rb +1 -1
  20. data/lib/doorkeeper/errors.rb +13 -18
  21. data/lib/doorkeeper/grant_flow/fallback_flow.rb +15 -0
  22. data/lib/doorkeeper/grant_flow/flow.rb +44 -0
  23. data/lib/doorkeeper/grant_flow/registry.rb +50 -0
  24. data/lib/doorkeeper/grant_flow.rb +45 -0
  25. data/lib/doorkeeper/grape/helpers.rb +7 -3
  26. data/lib/doorkeeper/helpers/controller.rb +36 -11
  27. data/lib/doorkeeper/models/access_grant_mixin.rb +22 -18
  28. data/lib/doorkeeper/models/access_token_mixin.rb +194 -51
  29. data/lib/doorkeeper/models/application_mixin.rb +8 -7
  30. data/lib/doorkeeper/models/concerns/ownership.rb +1 -1
  31. data/lib/doorkeeper/models/concerns/resource_ownerable.rb +47 -0
  32. data/lib/doorkeeper/models/concerns/reusable.rb +1 -1
  33. data/lib/doorkeeper/models/concerns/revocable.rb +1 -28
  34. data/lib/doorkeeper/models/concerns/scopes.rb +5 -1
  35. data/lib/doorkeeper/models/concerns/secret_storable.rb +1 -3
  36. data/lib/doorkeeper/oauth/authorization/code.rb +25 -14
  37. data/lib/doorkeeper/oauth/authorization/context.rb +5 -5
  38. data/lib/doorkeeper/oauth/authorization/token.rb +24 -19
  39. data/lib/doorkeeper/oauth/authorization/uri_builder.rb +4 -4
  40. data/lib/doorkeeper/oauth/authorization_code_request.rb +40 -21
  41. data/lib/doorkeeper/oauth/base_request.rb +21 -23
  42. data/lib/doorkeeper/oauth/client/credentials.rb +2 -4
  43. data/lib/doorkeeper/oauth/client.rb +8 -9
  44. data/lib/doorkeeper/oauth/client_credentials/creator.rb +45 -5
  45. data/lib/doorkeeper/oauth/client_credentials/issuer.rb +10 -8
  46. data/lib/doorkeeper/oauth/client_credentials/{validation.rb → validator.rb} +13 -3
  47. data/lib/doorkeeper/oauth/client_credentials_request.rb +8 -7
  48. data/lib/doorkeeper/oauth/code_request.rb +6 -12
  49. data/lib/doorkeeper/oauth/code_response.rb +24 -14
  50. data/lib/doorkeeper/oauth/error.rb +1 -1
  51. data/lib/doorkeeper/oauth/error_response.rb +10 -11
  52. data/lib/doorkeeper/oauth/helpers/scope_checker.rb +8 -12
  53. data/lib/doorkeeper/oauth/helpers/unique_token.rb +8 -5
  54. data/lib/doorkeeper/oauth/helpers/uri_checker.rb +19 -5
  55. data/lib/doorkeeper/oauth/hooks/context.rb +21 -0
  56. data/lib/doorkeeper/oauth/invalid_request_response.rb +43 -0
  57. data/lib/doorkeeper/oauth/invalid_token_response.rb +7 -4
  58. data/lib/doorkeeper/oauth/nonstandard.rb +39 -0
  59. data/lib/doorkeeper/oauth/password_access_token_request.rb +34 -11
  60. data/lib/doorkeeper/oauth/pre_authorization.rb +111 -42
  61. data/lib/doorkeeper/oauth/refresh_token_request.rb +45 -33
  62. data/lib/doorkeeper/oauth/token.rb +6 -7
  63. data/lib/doorkeeper/oauth/token_introspection.rb +24 -18
  64. data/lib/doorkeeper/oauth/token_request.rb +6 -20
  65. data/lib/doorkeeper/oauth/token_response.rb +1 -1
  66. data/lib/doorkeeper/orm/active_record/access_grant.rb +4 -43
  67. data/lib/doorkeeper/orm/active_record/access_token.rb +4 -35
  68. data/lib/doorkeeper/orm/active_record/application.rb +5 -83
  69. data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +68 -0
  70. data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +59 -0
  71. data/lib/doorkeeper/orm/active_record/mixins/application.rb +198 -0
  72. data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb +66 -0
  73. data/lib/doorkeeper/orm/active_record.rb +20 -6
  74. data/lib/doorkeeper/rails/helpers.rb +4 -4
  75. data/lib/doorkeeper/rails/routes/abstract_router.rb +35 -0
  76. data/lib/doorkeeper/rails/routes/mapper.rb +2 -2
  77. data/lib/doorkeeper/rails/routes/registry.rb +45 -0
  78. data/lib/doorkeeper/rails/routes.rb +17 -25
  79. data/lib/doorkeeper/rake/db.rake +6 -6
  80. data/lib/doorkeeper/rake/setup.rake +5 -0
  81. data/lib/doorkeeper/request/authorization_code.rb +5 -3
  82. data/lib/doorkeeper/request/client_credentials.rb +2 -2
  83. data/lib/doorkeeper/request/password.rb +3 -2
  84. data/lib/doorkeeper/request/refresh_token.rb +5 -4
  85. data/lib/doorkeeper/request/strategy.rb +2 -2
  86. data/lib/doorkeeper/request.rb +49 -17
  87. data/lib/doorkeeper/server.rb +7 -11
  88. data/lib/doorkeeper/stale_records_cleaner.rb +6 -2
  89. data/lib/doorkeeper/version.rb +2 -6
  90. data/lib/doorkeeper.rb +114 -79
  91. data/lib/generators/doorkeeper/application_owner_generator.rb +1 -1
  92. data/lib/generators/doorkeeper/confidential_applications_generator.rb +2 -2
  93. data/lib/generators/doorkeeper/enable_polymorphic_resource_owner_generator.rb +39 -0
  94. data/lib/generators/doorkeeper/migration_generator.rb +1 -1
  95. data/lib/generators/doorkeeper/pkce_generator.rb +1 -1
  96. data/lib/generators/doorkeeper/previous_refresh_token_generator.rb +7 -7
  97. data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb +3 -1
  98. data/lib/generators/doorkeeper/templates/add_previous_refresh_token_to_access_tokens.rb.erb +2 -0
  99. data/lib/generators/doorkeeper/templates/enable_pkce_migration.rb.erb +2 -0
  100. data/lib/generators/doorkeeper/templates/enable_polymorphic_resource_owner_migration.rb.erb +17 -0
  101. data/lib/generators/doorkeeper/templates/initializer.rb +205 -43
  102. data/lib/generators/doorkeeper/templates/migration.rb.erb +18 -6
  103. metadata +45 -312
  104. data/.coveralls.yml +0 -1
  105. data/.github/ISSUE_TEMPLATE.md +0 -25
  106. data/.github/PULL_REQUEST_TEMPLATE.md +0 -17
  107. data/.gitignore +0 -20
  108. data/.gitlab-ci.yml +0 -16
  109. data/.hound.yml +0 -3
  110. data/.rspec +0 -1
  111. data/.rubocop.yml +0 -50
  112. data/.travis.yml +0 -35
  113. data/Appraisals +0 -40
  114. data/CODE_OF_CONDUCT.md +0 -46
  115. data/CONTRIBUTING.md +0 -47
  116. data/Dangerfile +0 -67
  117. data/Gemfile +0 -24
  118. data/RELEASING.md +0 -10
  119. data/Rakefile +0 -28
  120. data/SECURITY.md +0 -15
  121. data/UPGRADE.md +0 -2
  122. data/app/validators/redirect_uri_validator.rb +0 -50
  123. data/bin/console +0 -16
  124. data/doorkeeper.gemspec +0 -34
  125. data/gemfiles/rails_5_0.gemfile +0 -17
  126. data/gemfiles/rails_5_1.gemfile +0 -17
  127. data/gemfiles/rails_5_2.gemfile +0 -17
  128. data/gemfiles/rails_6_0.gemfile +0 -17
  129. data/gemfiles/rails_master.gemfile +0 -17
  130. data/spec/controllers/application_metal_controller_spec.rb +0 -64
  131. data/spec/controllers/applications_controller_spec.rb +0 -180
  132. data/spec/controllers/authorizations_controller_spec.rb +0 -527
  133. data/spec/controllers/protected_resources_controller_spec.rb +0 -353
  134. data/spec/controllers/token_info_controller_spec.rb +0 -50
  135. data/spec/controllers/tokens_controller_spec.rb +0 -330
  136. data/spec/dummy/Rakefile +0 -9
  137. data/spec/dummy/app/assets/config/manifest.js +0 -2
  138. data/spec/dummy/app/controllers/application_controller.rb +0 -5
  139. data/spec/dummy/app/controllers/custom_authorizations_controller.rb +0 -9
  140. data/spec/dummy/app/controllers/full_protected_resources_controller.rb +0 -14
  141. data/spec/dummy/app/controllers/home_controller.rb +0 -18
  142. data/spec/dummy/app/controllers/metal_controller.rb +0 -13
  143. data/spec/dummy/app/controllers/semi_protected_resources_controller.rb +0 -13
  144. data/spec/dummy/app/helpers/application_helper.rb +0 -7
  145. data/spec/dummy/app/models/user.rb +0 -7
  146. data/spec/dummy/app/views/home/index.html.erb +0 -0
  147. data/spec/dummy/app/views/layouts/application.html.erb +0 -14
  148. data/spec/dummy/config/application.rb +0 -47
  149. data/spec/dummy/config/boot.rb +0 -7
  150. data/spec/dummy/config/database.yml +0 -15
  151. data/spec/dummy/config/environment.rb +0 -5
  152. data/spec/dummy/config/environments/development.rb +0 -31
  153. data/spec/dummy/config/environments/production.rb +0 -64
  154. data/spec/dummy/config/environments/test.rb +0 -45
  155. data/spec/dummy/config/initializers/backtrace_silencers.rb +0 -9
  156. data/spec/dummy/config/initializers/doorkeeper.rb +0 -121
  157. data/spec/dummy/config/initializers/secret_token.rb +0 -10
  158. data/spec/dummy/config/initializers/session_store.rb +0 -10
  159. data/spec/dummy/config/initializers/wrap_parameters.rb +0 -16
  160. data/spec/dummy/config/locales/doorkeeper.en.yml +0 -5
  161. data/spec/dummy/config/routes.rb +0 -13
  162. data/spec/dummy/config.ru +0 -6
  163. data/spec/dummy/db/migrate/20111122132257_create_users.rb +0 -11
  164. data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb +0 -7
  165. data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb +0 -69
  166. data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb +0 -9
  167. data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb +0 -13
  168. data/spec/dummy/db/migrate/20170822064514_enable_pkce.rb +0 -8
  169. data/spec/dummy/db/migrate/20180210183654_add_confidential_to_applications.rb +0 -13
  170. data/spec/dummy/db/schema.rb +0 -68
  171. data/spec/dummy/public/404.html +0 -26
  172. data/spec/dummy/public/422.html +0 -26
  173. data/spec/dummy/public/500.html +0 -26
  174. data/spec/dummy/public/favicon.ico +0 -0
  175. data/spec/dummy/script/rails +0 -9
  176. data/spec/factories.rb +0 -30
  177. data/spec/generators/application_owner_generator_spec.rb +0 -28
  178. data/spec/generators/confidential_applications_generator_spec.rb +0 -29
  179. data/spec/generators/install_generator_spec.rb +0 -36
  180. data/spec/generators/migration_generator_spec.rb +0 -28
  181. data/spec/generators/pkce_generator_spec.rb +0 -28
  182. data/spec/generators/previous_refresh_token_generator_spec.rb +0 -44
  183. data/spec/generators/templates/routes.rb +0 -4
  184. data/spec/generators/views_generator_spec.rb +0 -29
  185. data/spec/grape/grape_integration_spec.rb +0 -137
  186. data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +0 -26
  187. data/spec/lib/config_spec.rb +0 -697
  188. data/spec/lib/doorkeeper_spec.rb +0 -27
  189. data/spec/lib/models/expirable_spec.rb +0 -61
  190. data/spec/lib/models/reusable_spec.rb +0 -40
  191. data/spec/lib/models/revocable_spec.rb +0 -59
  192. data/spec/lib/models/scopes_spec.rb +0 -53
  193. data/spec/lib/models/secret_storable_spec.rb +0 -135
  194. data/spec/lib/oauth/authorization/uri_builder_spec.rb +0 -39
  195. data/spec/lib/oauth/authorization_code_request_spec.rb +0 -156
  196. data/spec/lib/oauth/base_request_spec.rb +0 -205
  197. data/spec/lib/oauth/base_response_spec.rb +0 -47
  198. data/spec/lib/oauth/client/credentials_spec.rb +0 -90
  199. data/spec/lib/oauth/client_credentials/creator_spec.rb +0 -94
  200. data/spec/lib/oauth/client_credentials/issuer_spec.rb +0 -112
  201. data/spec/lib/oauth/client_credentials/validation_spec.rb +0 -59
  202. data/spec/lib/oauth/client_credentials_integration_spec.rb +0 -29
  203. data/spec/lib/oauth/client_credentials_request_spec.rb +0 -109
  204. data/spec/lib/oauth/client_spec.rb +0 -38
  205. data/spec/lib/oauth/code_request_spec.rb +0 -47
  206. data/spec/lib/oauth/code_response_spec.rb +0 -36
  207. data/spec/lib/oauth/error_response_spec.rb +0 -66
  208. data/spec/lib/oauth/error_spec.rb +0 -23
  209. data/spec/lib/oauth/forbidden_token_response_spec.rb +0 -22
  210. data/spec/lib/oauth/helpers/scope_checker_spec.rb +0 -98
  211. data/spec/lib/oauth/helpers/unique_token_spec.rb +0 -21
  212. data/spec/lib/oauth/helpers/uri_checker_spec.rb +0 -247
  213. data/spec/lib/oauth/invalid_token_response_spec.rb +0 -55
  214. data/spec/lib/oauth/password_access_token_request_spec.rb +0 -192
  215. data/spec/lib/oauth/pre_authorization_spec.rb +0 -215
  216. data/spec/lib/oauth/refresh_token_request_spec.rb +0 -177
  217. data/spec/lib/oauth/scopes_spec.rb +0 -148
  218. data/spec/lib/oauth/token_request_spec.rb +0 -150
  219. data/spec/lib/oauth/token_response_spec.rb +0 -86
  220. data/spec/lib/oauth/token_spec.rb +0 -158
  221. data/spec/lib/request/strategy_spec.rb +0 -54
  222. data/spec/lib/secret_storing/base_spec.rb +0 -60
  223. data/spec/lib/secret_storing/bcrypt_spec.rb +0 -49
  224. data/spec/lib/secret_storing/plain_spec.rb +0 -44
  225. data/spec/lib/secret_storing/sha256_hash_spec.rb +0 -48
  226. data/spec/lib/server_spec.rb +0 -61
  227. data/spec/lib/stale_records_cleaner_spec.rb +0 -89
  228. data/spec/models/doorkeeper/access_grant_spec.rb +0 -144
  229. data/spec/models/doorkeeper/access_token_spec.rb +0 -591
  230. data/spec/models/doorkeeper/application_spec.rb +0 -367
  231. data/spec/requests/applications/applications_request_spec.rb +0 -259
  232. data/spec/requests/applications/authorized_applications_spec.rb +0 -32
  233. data/spec/requests/endpoints/authorization_spec.rb +0 -73
  234. data/spec/requests/endpoints/token_spec.rb +0 -75
  235. data/spec/requests/flows/authorization_code_errors_spec.rb +0 -78
  236. data/spec/requests/flows/authorization_code_spec.rb +0 -447
  237. data/spec/requests/flows/client_credentials_spec.rb +0 -128
  238. data/spec/requests/flows/implicit_grant_errors_spec.rb +0 -34
  239. data/spec/requests/flows/implicit_grant_spec.rb +0 -90
  240. data/spec/requests/flows/password_spec.rb +0 -259
  241. data/spec/requests/flows/refresh_token_spec.rb +0 -233
  242. data/spec/requests/flows/revoke_token_spec.rb +0 -143
  243. data/spec/requests/flows/skip_authorization_spec.rb +0 -66
  244. data/spec/requests/protected_resources/metal_spec.rb +0 -16
  245. data/spec/requests/protected_resources/private_api_spec.rb +0 -83
  246. data/spec/routing/custom_controller_routes_spec.rb +0 -133
  247. data/spec/routing/default_routes_spec.rb +0 -41
  248. data/spec/routing/scoped_routes_spec.rb +0 -47
  249. data/spec/spec_helper.rb +0 -57
  250. data/spec/spec_helper_integration.rb +0 -4
  251. data/spec/support/dependencies/factory_bot.rb +0 -4
  252. data/spec/support/doorkeeper_rspec.rb +0 -22
  253. data/spec/support/helpers/access_token_request_helper.rb +0 -13
  254. data/spec/support/helpers/authorization_request_helper.rb +0 -43
  255. data/spec/support/helpers/config_helper.rb +0 -11
  256. data/spec/support/helpers/model_helper.rb +0 -78
  257. data/spec/support/helpers/request_spec_helper.rb +0 -98
  258. data/spec/support/helpers/url_helper.rb +0 -62
  259. data/spec/support/http_method_shim.rb +0 -29
  260. data/spec/support/orm/active_record.rb +0 -5
  261. data/spec/support/shared/controllers_shared_context.rb +0 -123
  262. data/spec/support/shared/hashing_shared_context.rb +0 -36
  263. data/spec/support/shared/models_shared_examples.rb +0 -54
  264. data/spec/validators/redirect_uri_validator_spec.rb +0 -158
  265. data/spec/version/version_spec.rb +0 -17
@@ -1,7 +1,8 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  Doorkeeper.configure do
4
- # Change the ORM that doorkeeper will use (needs plugins)
4
+ # Change the ORM that doorkeeper will use (requires ORM extensions installed).
5
+ # Check the list of supported ORMs here: https://github.com/doorkeeper-gem/doorkeeper#orms
5
6
  orm :active_record
6
7
 
7
8
  # This block will be called to check whether the resource owner is authenticated or not.
@@ -9,7 +10,7 @@ Doorkeeper.configure do
9
10
  raise "Please configure doorkeeper resource_owner_authenticator block located in #{__FILE__}"
10
11
  # Put your resource owner authentication logic here.
11
12
  # Example implementation:
12
- # User.find_by_id(session[:user_id]) || redirect_to(new_user_session_url)
13
+ # User.find_by(id: session[:user_id]) || redirect_to(new_user_session_url)
13
14
  end
14
15
 
15
16
  # If you didn't skip applications controller from Doorkeeper routes in your application routes.rb
@@ -28,6 +29,52 @@ Doorkeeper.configure do
28
29
  # end
29
30
  # end
30
31
 
32
+ # You can use your own model classes if you need to extend (or even override) default
33
+ # Doorkeeper models such as `Application`, `AccessToken` and `AccessGrant.
34
+ #
35
+ # Be default Doorkeeper ActiveRecord ORM uses it's own classes:
36
+ #
37
+ # access_token_class "Doorkeeper::AccessToken"
38
+ # access_grant_class "Doorkeeper::AccessGrant"
39
+ # application_class "Doorkeeper::Application"
40
+ #
41
+ # Don't forget to include Doorkeeper ORM mixins into your custom models:
42
+ #
43
+ # * ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken - for access token
44
+ # * ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessGrant - for access grant
45
+ # * ::Doorkeeper::Orm::ActiveRecord::Mixins::Application - for application (OAuth2 clients)
46
+ #
47
+ # For example:
48
+ #
49
+ # access_token_class "MyAccessToken"
50
+ #
51
+ # class MyAccessToken < ApplicationRecord
52
+ # include ::Doorkeeper::Orm::ActiveRecord::Mixins::AccessToken
53
+ #
54
+ # self.table_name = "hey_i_wanna_my_name"
55
+ #
56
+ # def destroy_me!
57
+ # destroy
58
+ # end
59
+ # end
60
+
61
+ # Enables polymorphic Resource Owner association for Access Tokens and Access Grants.
62
+ # By default this option is disabled.
63
+ #
64
+ # Make sure you properly setup you database and have all the required columns (run
65
+ # `bundle exec rails generate doorkeeper:enable_polymorphic_resource_owner` and execute Rails
66
+ # migrations).
67
+ #
68
+ # If this option enabled, Doorkeeper will store not only Resource Owner primary key
69
+ # value, but also it's type (class name). See "Polymorphic Associations" section of
70
+ # Rails guides: https://guides.rubyonrails.org/association_basics.html#polymorphic-associations
71
+ #
72
+ # [NOTE] If you apply this option on already existing project don't forget to manually
73
+ # update `resource_owner_type` column in the database and fix migration template as it will
74
+ # set NOT NULL constraint for Access Grants table.
75
+ #
76
+ # use_polymorphic_resource_owner
77
+
31
78
  # If you are planning to use Doorkeeper in Rails 5 API-only application, then you might
32
79
  # want to use API mode that will skip all the views management and change the way how
33
80
  # Doorkeeper responds to a requests.
@@ -39,38 +86,40 @@ Doorkeeper.configure do
39
86
  #
40
87
  # enforce_content_type
41
88
 
42
- # Authorization Code expiration time (default 10 minutes).
89
+ # Authorization Code expiration time (default: 10 minutes).
43
90
  #
44
91
  # authorization_code_expires_in 10.minutes
45
92
 
46
- # Access token expiration time (default 2 hours).
47
- # If you want to disable expiration, set this to nil.
93
+ # Access token expiration time (default: 2 hours).
94
+ # If you want to disable expiration, set this to `nil`.
48
95
  #
49
96
  # access_token_expires_in 2.hours
50
97
 
51
98
  # Assign custom TTL for access tokens. Will be used instead of access_token_expires_in
52
99
  # option if defined. In case the block returns `nil` value Doorkeeper fallbacks to
53
- # `access_token_expires_in` configuration option value. If you really need to issue a
100
+ # +access_token_expires_in+ configuration option value. If you really need to issue a
54
101
  # non-expiring access token (which is not recommended) then you need to return
55
102
  # Float::INFINITY from this block.
56
103
  #
57
104
  # `context` has the following properties available:
58
105
  #
59
- # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
60
- # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
61
- # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
106
+ # * `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
107
+ # * `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
108
+ # * `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
109
+ # * `resource_owner` - authorized resource owner instance (if present)
62
110
  #
63
111
  # custom_access_token_expires_in do |context|
64
- # context.client.application.additional_settings.implicit_oauth_expiration
112
+ # context.client.additional_settings.implicit_oauth_expiration
65
113
  # end
66
114
 
67
115
  # Use a custom class for generating the access token.
68
- # See https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
116
+ # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-access-token-generator
69
117
  #
70
118
  # access_token_generator '::Doorkeeper::JWT'
71
119
 
72
- # The controller Doorkeeper::ApplicationController inherits from.
73
- # Defaults to ActionController::Base.
120
+ # The controller +Doorkeeper::ApplicationController+ inherits from.
121
+ # Defaults to +ActionController::Base+ unless +api_only+ is set, which changes the default to
122
+ # +ActionController::API+. The return value of this option must be a stringified class name.
74
123
  # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller
75
124
  #
76
125
  # base_controller 'ApplicationController'
@@ -86,6 +135,14 @@ Doorkeeper.configure do
86
135
  #
87
136
  # reuse_access_token
88
137
 
138
+ # In case you enabled `reuse_access_token` option Doorkeeper will try to find matching
139
+ # token using `matching_token_for` Access Token API that searches for valid records
140
+ # in batches in order not to pollute the memory with all the database records. By default
141
+ # Doorkeeper uses batch size of 10 000 records. You can increase or decrease this value
142
+ # depending on your needs and server capabilities.
143
+ #
144
+ # token_lookup_batch_size 10_000
145
+
89
146
  # Set a limit for token_reuse if using reuse_access_token option
90
147
  #
91
148
  # This option limits token_reusability to some extent.
@@ -96,13 +153,22 @@ Doorkeeper.configure do
96
153
  #
97
154
  # token_reuse_limit 100
98
155
 
156
+ # Only allow one valid access token obtained via client credentials
157
+ # per client. If a new access token is obtained before the old one
158
+ # expired, the old one gets revoked (disabled by default)
159
+ #
160
+ # When enabling this option, make sure that you do not expect multiple processes
161
+ # using the same credentials at the same time (e.g. web servers spanning
162
+ # multiple machines and/or processes).
163
+ #
164
+ # revoke_previous_client_credentials_token
165
+
99
166
  # Hash access and refresh tokens before persisting them.
100
167
  # This will disable the possibility to use +reuse_access_token+
101
168
  # since plain values can no longer be retrieved.
102
169
  #
103
170
  # Note: If you are already a user of doorkeeper and have existing tokens
104
- # in your installation, they will be invalid without enabling the additional
105
- # setting `fallback_to_plain_secrets` below.
171
+ # in your installation, they will be invalid without adding 'fallback: :plain'.
106
172
  #
107
173
  # hash_token_secrets
108
174
  # By default, token secrets will be hashed using the
@@ -128,21 +194,22 @@ Doorkeeper.configure do
128
194
  #
129
195
  # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt'
130
196
 
131
- # When the above option is enabled,
132
- # and a hashed token or secret is not found,
133
- # you can allow to fall back to another strategy.
134
- # For users upgrading doorkeeper and wishing to enable hashing,
135
- # you will probably want to enable the fallback to plain tokens.
197
+ # When the above option is enabled, and a hashed token or secret is not found,
198
+ # you can allow to fall back to another strategy. For users upgrading
199
+ # doorkeeper and wishing to enable hashing, you will probably want to enable
200
+ # the fallback to plain tokens.
136
201
  #
137
202
  # This will ensure that old access tokens and secrets
138
203
  # will remain valid even if the hashing above is enabled.
139
204
  #
140
- # fallback_to_plain_secrets
205
+ # This can be done by adding 'fallback: plain', e.g. :
206
+ #
207
+ # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt', fallback: :plain
141
208
 
142
209
  # Issue access tokens with refresh token (disabled by default), you may also
143
210
  # pass a block which accepts `context` to customize when to give a refresh
144
- # token or not. Similar to `custom_access_token_expires_in`, `context` has
145
- # the properties:
211
+ # token or not. Similar to +custom_access_token_expires_in+, `context` has
212
+ # the following properties:
146
213
  #
147
214
  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
148
215
  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
@@ -151,7 +218,7 @@ Doorkeeper.configure do
151
218
  # use_refresh_token
152
219
 
153
220
  # Provide support for an owner to be assigned to each registered application (disabled by default)
154
- # Optional parameter confirmation: true (default false) if you want to enforce ownership of
221
+ # Optional parameter confirmation: true (default: false) if you want to enforce ownership of
155
222
  # a registered application
156
223
  # NOTE: you must also run the rails g doorkeeper:application_owner generator
157
224
  # to provide the necessary support
@@ -160,22 +227,22 @@ Doorkeeper.configure do
160
227
 
161
228
  # Define access token scopes for your provider
162
229
  # For more information go to
163
- # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes
230
+ # https://doorkeeper.gitbook.io/guides/ruby-on-rails/scopes
164
231
  #
165
232
  # default_scopes :public
166
233
  # optional_scopes :write, :update
167
234
 
168
- # Define scopes_by_grant_type to restrict only certain scopes for grant_type
235
+ # Allows to restrict only certain scopes for grant_type.
169
236
  # By default, all the scopes will be available for all the grant types.
170
237
  #
171
238
  # Keys to this hash should be the name of grant_type and
172
239
  # values should be the array of scopes for that grant type.
173
- # Note: scopes should be from configured_scopes(i.e. deafult or optional)
240
+ # Note: scopes should be from configured_scopes (i.e. default or optional)
174
241
  #
175
242
  # scopes_by_grant_type password: [:write], client_credentials: [:update]
176
243
 
177
244
  # Forbids creating/updating applications with arbitrary scopes that are
178
- # not in configuration, i.e. `default_scopes` or `optional_scopes`.
245
+ # not in configuration, i.e. +default_scopes+ or +optional_scopes+.
179
246
  # (disabled by default)
180
247
  #
181
248
  # enforce_configured_scopes
@@ -196,15 +263,6 @@ Doorkeeper.configure do
196
263
  #
197
264
  # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
198
265
 
199
- # Change the native redirect uri for client apps
200
- # When clients register with the following redirect uri, they won't be redirected to
201
- # any server and the authorizationcode will be displayed within the provider
202
- # The value can be any string. Use nil to disable this feature. When disabled, clients
203
- # must providea valid URL
204
- # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
205
- #
206
- # native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
207
-
208
266
  # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
209
267
  # by default in non-development environments). OAuth2 delegates security in
210
268
  # communication to the HTTPS protocol so it is wise to keep this enabled.
@@ -246,7 +304,7 @@ Doorkeeper.configure do
246
304
  # is invalid, expired, revoked or has invalid scopes.
247
305
  #
248
306
  # If you want to render error response yourself (i.e. rescue exceptions),
249
- # set handle_auth_errors to `:raise` and rescue Doorkeeper::Errors::InvalidToken
307
+ # set +handle_auth_errors+ to `:raise` and rescue Doorkeeper::Errors::InvalidToken
250
308
  # or following specific errors:
251
309
  #
252
310
  # Doorkeeper::Errors::TokenForbidden, Doorkeeper::Errors::TokenExpired,
@@ -290,6 +348,48 @@ Doorkeeper.configure do
290
348
  #
291
349
  # grant_flows %w[authorization_code client_credentials]
292
350
 
351
+ # Allows to customize OAuth grant flows that +each+ application support.
352
+ # You can configure a custom block (or use a class respond to `#call`) that must
353
+ # return `true` in case Application instance supports requested OAuth grant flow
354
+ # during the authorization request to the server. This configuration +doesn't+
355
+ # set flows per application, it only allows to check if application supports
356
+ # specific grant flow.
357
+ #
358
+ # For example you can add an additional database column to `oauth_applications` table,
359
+ # say `t.array :grant_flows, default: []`, and store allowed grant flows that can
360
+ # be used with this application there. Then when authorization requested Doorkeeper
361
+ # will call this block to check if specific Application (passed with client_id and/or
362
+ # client_secret) is allowed to perform the request for the specific grant type
363
+ # (authorization, password, client_credentials, etc).
364
+ #
365
+ # Example of the block:
366
+ #
367
+ # ->(flow, client) { client.grant_flows.include?(flow) }
368
+ #
369
+ # In case this option invocation result is `false`, Doorkeeper server returns
370
+ # :unauthorized_client error and stops the request.
371
+ #
372
+ # @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
373
+ # @return [Boolean] `true` if allow or `false` if forbid the request
374
+ #
375
+ # allow_grant_flow_for_client do |grant_flow, client|
376
+ # # `grant_flows` is an Array column with grant
377
+ # # flows that application supports
378
+ #
379
+ # client.grant_flows.include?(grant_flow)
380
+ # end
381
+
382
+ # If you need arbitrary Resource Owner-Client authorization you can enable this option
383
+ # and implement the check your need. Config option must respond to #call and return
384
+ # true in case resource owner authorized for the specific application or false in other
385
+ # cases.
386
+ #
387
+ # Be default all Resource Owners are authorized to any Client (application).
388
+ #
389
+ # authorize_resource_owner_for_client do |client, resource_owner|
390
+ # resource_owner.admin? || client.owners_whitelist.include?(resource_owner)
391
+ # end
392
+
293
393
  # Hook into the strategies' request & response life-cycle in case your
294
394
  # application needs advanced customization or logging:
295
395
  #
@@ -302,17 +402,25 @@ Doorkeeper.configure do
302
402
  # end
303
403
 
304
404
  # Hook into Authorization flow in order to implement Single Sign Out
305
- # or add any other functionality.
405
+ # or add any other functionality. Inside the block you have an access
406
+ # to `controller` (authorizations controller instance) and `context`
407
+ # (Doorkeeper::OAuth::Hooks::Context instance) which provides pre auth
408
+ # or auth objects with issued token based on hook type (before or after).
306
409
  #
307
- # before_successful_authorization do |controller|
308
- # Rails.logger.info(params.inspect)
410
+ # before_successful_authorization do |controller, context|
411
+ # Rails.logger.info(controller.request.params.inspect)
412
+ #
413
+ # Rails.logger.info(context.pre_auth.inspect)
309
414
  # end
310
415
  #
311
- # after_successful_authorization do |controller|
416
+ # after_successful_authorization do |controller, context|
312
417
  # controller.session[:logout_urls] <<
313
418
  # Doorkeeper::Application
314
419
  # .find_by(controller.request.params.slice(:redirect_uri))
315
420
  # .logout_uri
421
+ #
422
+ # Rails.logger.info(context.auth.inspect)
423
+ # Rails.logger.info(context.issued_token)
316
424
  # end
317
425
 
318
426
  # Under some circumstances you might want to have applications auto-approved,
@@ -323,7 +431,61 @@ Doorkeeper.configure do
323
431
  # client.superapp? or resource_owner.admin?
324
432
  # end
325
433
 
326
- # WWW-Authenticate Realm (default "Doorkeeper").
434
+ # Configure custom constraints for the Token Introspection request.
435
+ # By default this configuration option allows to introspect a token by another
436
+ # token of the same application, OR to introspect the token that belongs to
437
+ # authorized client (from authenticated client) OR when token doesn't
438
+ # belong to any client (public token). Otherwise requester has no access to the
439
+ # introspection and it will return response as stated in the RFC.
440
+ #
441
+ # Block arguments:
442
+ #
443
+ # @param token [Doorkeeper::AccessToken]
444
+ # token to be introspected
445
+ #
446
+ # @param authorized_client [Doorkeeper::Application]
447
+ # authorized client (if request is authorized using Basic auth with
448
+ # Client Credentials for example)
449
+ #
450
+ # @param authorized_token [Doorkeeper::AccessToken]
451
+ # Bearer token used to authorize the request
452
+ #
453
+ # In case the block returns `nil` or `false` introspection responses with 401 status code
454
+ # when using authorized token to introspect, or you'll get 200 with { "active": false } body
455
+ # when using authorized client to introspect as stated in the
456
+ # RFC 7662 section 2.2. Introspection Response.
457
+ #
458
+ # Using with caution:
459
+ # Keep in mind that these three parameters pass to block can be nil as following case:
460
+ # `authorized_client` is nil if and only if `authorized_token` is present, and vice versa.
461
+ # `token` will be nil if and only if `authorized_token` is present.
462
+ # So remember to use `&` or check if it is present before calling method on
463
+ # them to make sure you doesn't get NoMethodError exception.
464
+ #
465
+ # You can define your custom check:
466
+ #
467
+ # allow_token_introspection do |token, authorized_client, authorized_token|
468
+ # if authorized_token
469
+ # # customize: require `introspection` scope
470
+ # authorized_token.application == token&.application ||
471
+ # authorized_token.scopes.include?("introspection")
472
+ # elsif token.application
473
+ # # `protected_resource` is a new database boolean column, for example
474
+ # authorized_client == token.application || authorized_client.protected_resource?
475
+ # else
476
+ # # public token (when token.application is nil, token doesn't belong to any application)
477
+ # true
478
+ # end
479
+ # end
480
+ #
481
+ # Or you can completely disable any token introspection:
482
+ #
483
+ # allow_token_introspection false
484
+ #
485
+ # If you need to block the request at all, then configure your routes.rb or web-server
486
+ # like nginx to forbid the request.
487
+
488
+ # WWW-Authenticate Realm (default: "Doorkeeper").
327
489
  #
328
490
  # realm "Doorkeeper"
329
491
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
2
4
  def change
3
5
  create_table :oauth_applications do |t|
@@ -24,7 +26,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
24
26
  t.text :redirect_uri, null: false
25
27
  t.datetime :created_at, null: false
26
28
  t.datetime :revoked_at
27
- t.string :scopes
29
+ t.string :scopes, null: false, default: ''
28
30
  end
29
31
 
30
32
  add_index :oauth_access_grants, :token, unique: true
@@ -36,6 +38,9 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
36
38
 
37
39
  create_table :oauth_access_tokens do |t|
38
40
  t.references :resource_owner, index: true
41
+
42
+ # Remove `null: false` if you are planning to use Password
43
+ # Credentials Grant flow that doesn't require an application.
39
44
  t.references :application, null: false
40
45
 
41
46
  # If you use a custom token generator you may need to change this column
@@ -52,12 +57,19 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
52
57
  t.datetime :created_at, null: false
53
58
  t.string :scopes
54
59
 
55
- # If there is a previous_refresh_token column,
60
+ # The authorization server MAY issue a new refresh token, in which case
61
+ # *the client MUST discard the old refresh token* and replace it with the
62
+ # new refresh token. The authorization server MAY revoke the old
63
+ # refresh token after issuing a new refresh token to the client.
64
+ # @see https://tools.ietf.org/html/rfc6749#section-6
65
+ #
66
+ # Doorkeeper implementation: if there is a `previous_refresh_token` column,
56
67
  # refresh tokens will be revoked after a related access token is used.
57
- # If there is no previous_refresh_token column,
58
- # previous tokens are revoked as soon as a new access token is created.
59
- # Comment out this line if you'd rather have refresh tokens
60
- # instantly revoked.
68
+ # If there is no `previous_refresh_token` column, previous tokens are
69
+ # revoked as soon as a new access token is created.
70
+ #
71
+ # Comment out this line if you want refresh tokens to be instantly
72
+ # revoked after use.
61
73
  t.string :previous_refresh_token, null: false, default: ""
62
74
  end
63
75