doorkeeper 5.2.0.rc1 → 5.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f8d957f89709f38c434bcaa2f50d2b7a540ed613c37c49a7206cbab07c32c240
-  data.tar.gz: f1945351442b325395da930863b402cb45091f576075ffe0b71dbc285911d846
+  metadata.gz: c5184a79d20bb22a118af7f53e465f3d16b4e8796819bc3d3787118b65e2faa5
+  data.tar.gz: 36dbd460edaad12e3550210d3edfa1c2f6b82bfa600c7a6fc3c1e730bc7d34c1
 SHA512:
-  metadata.gz: 97b9c9d403403af0227f670b66876be06dac554beeb024f507e3c460a0fcd6c5eeb75b8747946ff622065791992ce1bf9c30f8366f964e57545e229366533048
-  data.tar.gz: f235dee893b1ad79ad1873006e68e0ad508a25f676c4d6ecd6f867cca0ec8c5f1776420d79e0efb8cefc7309b1f467ef34de3382249c698fd842872c3eea5254
+  metadata.gz: 2b1183b93495fcaf34b7d1761d1e605e9203bdcfa483ebc6b3c11895b781ace879439f84d92d05dc9321bf28014b64e4c2a63666a20a389b26a34f1a5dc3c048
+  data.tar.gz: 75959d91b24d5a34538e9bf2d5fca263bbd9338a1cf20d808a6737b0ec4ee507f2d07ee47031d09ab7211e62be5803223f2a28d4099e91008741606162c3dafa

data/Appraisals

@@ -16,7 +16,7 @@ appraise "rails-5-2" do
 end
 
 appraise "rails-6-0" do
-  gem "rails", "~> 6.0.0.beta3"
+  gem "rails", "~> 6.0.0"
   gem "sqlite3", "~> 1.4", platform: %i[ruby mswin mingw x64_mingw]
 
   # TODO: Remove when rspec-rails 4.0 released

data/CHANGELOG.md

@@ -7,7 +7,38 @@ User-visible changes worth mentioning.
 
 ## master
 
-- [#1260], [#1261] Improve Token Introspection configuration option (access to tokens, client).
+- [#PR ID] Your PR description here.
+
+## 5.2.0
+
+- [#1305] Make `Doorkeeper::ApplicationController` to inherit from `ActionController::API` in cases
+  when `api_mode` enabled (fixes #1302).
+
+## 5.2.0.rc3
+
+- [#1298] Slice strong params so doesn't error with Rails forms.
+- [#1300] Limiting access to attributes of pre_authorization.
+- [#1296] Adding client_id to strong parameters.
+- [#1293] Move ar specific redirect uri validator to ar orm directory.
+- [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
+  the PreAuthorization response.
+- [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)
+- [#1283] Allow to customize base class for `Doorkeeper::ApplicationMetalController` (new configuration
+  option called `base_metal_controller` (fix #1273).
+- [#1277] Prevent requested scope be empty on authorization request, handle and add description for invalid request.
+
+## 5.2.0.rc2
+
+- [#1270] Find matching tokens in batches for `reuse_access_token` option (fix #1193).
+- [#1271] Reintroduce existing token revocation for client credentials.
+- [#1269] Update initializer template documentation.
+- [#1266] Use strong parameters within pre-authorization.
+- [#1264] Add :before_successful_authorization and :after_successful_authorization hooks in TokensController
+- [#1263] Response properly when introspection fails and fix configurations's user guide.
+
+## 5.2.0.rc1
+
+- [#1260], [#1262] Improve Token Introspection configuration option (access to tokens, client).
 - [#1257] Add constraint configuration when using client authentication on introspection endpoint.
 - [#1252] Returning `unauthorized` when the revocation of the token should not be performed due to wrong permissions.
 - [#1249] Specify case sensitive uniqueness to remove Rails 6 deprecation message
@@ -31,7 +62,7 @@ User-visible changes worth mentioning.
 
 - [#1208] Unify hashing implementation into secret storing strategies
 
-  **[IMPORTANT]**: If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
+  **[IMPORTANT]** If you have been using the master branch of doorkeeper with bcrypt in your Gemfile.lock,
   your application secrets have been hashed using BCrypt. To restore this behavior, use the initializer option
   `use_application_hashing using: 'Doorkeeper::SecretStoring::BCrypt`.
 

data/CONTRIBUTING.md

@@ -7,6 +7,13 @@ Fork, then clone the repo:
 
     git clone git@github.com:your-username/doorkeeper.git
 
+### Docker Setup
+
+Build the container image with: `docker build --pull -t doorkeeper:test .`
+Run the tests with: `docker run -it --rm doorkeeper:test`
+
+### Local Setup
+
 Set up Ruby dependencies via Bundler
 
     bundle install

data/Dangerfile

@@ -11,7 +11,7 @@ def changelog_entry_example
                    .sub(/[?.!,;]?$/, '')
                    .capitalize
 
-  "- [##{pr_number}]: #{pr_title}."
+  "- [##{pr_number}] #{pr_title}."
 end
 
 # --------------------------------------------------------------------------------------------------------------------

data/Dockerfile

@@ -0,0 +1,29 @@
+FROM ruby:2.6.3-alpine3.9
+
+RUN apk add --no-cache \
+  ca-certificates \
+  wget \
+  openssl \ 
+  bash \
+  build-base \
+  git \
+  sqlite-dev \
+  tzdata
+
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+ENV BUNDLER_VERSION 2.0.1
+RUN gem install bundler -v ${BUNDLER_VERSION} -i /usr/local/lib/ruby/gems/$(ls /usr/local/lib/ruby/gems) --force
+
+WORKDIR /srv
+
+COPY Gemfile doorkeeper.gemspec /srv/
+COPY lib/doorkeeper/version.rb /srv/lib/doorkeeper/version.rb
+
+RUN bundle install
+
+COPY . /srv/
+
+CMD ["rake"]

data/Gemfile

@@ -5,7 +5,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 gemspec
 
-gem "rails", "~> 6.0.0.rc1"
+gem "rails", "~> 6.0.0"
 
 # TODO: Remove when rspec-rails 4.0 released
 gem "rspec-core", github: "rspec/rspec-core"

data/README.md

@@ -21,10 +21,11 @@ Supported features:
   - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
   - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
   - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
-  - [Proof Key for Code Exchange](https://tools.ietf.org/html/rfc7636)
 - [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
 - [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
 - [OAuth 2.0 Threat Model and Security Considerations](http://tools.ietf.org/html/rfc6819)
+- [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10)
+- [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
 
 ## Table of Contents
 
@@ -93,6 +94,7 @@ Doorkeeper supports Active Record by default, but can be configured to work with
 | MongoDB | [doorkeeper-gem/doorkeeper-mongodb](https://github.com/doorkeeper-gem/doorkeeper-mongodb) |
 | Sequel | [nbulaj/doorkeeper-sequel](https://github.com/nbulaj/doorkeeper-sequel) |
 | Couchbase | [acaprojects/doorkeeper-couchbase](https://github.com/acaprojects/doorkeeper-couchbase) |
+| RethinkDB | [aca-labs/doorkeeper-rethinkdb](https://github.com/aca-labs/doorkeeper-rethinkdb) |
 
 ## Extensions
 
@@ -136,6 +138,12 @@ Support this project by becoming a sponsor. Your logo will show up here with a l
 
 > If you prefer not to deal with the gory details of OAuth 2, need dedicated customer support & consulting, try the cloud-based SaaS version: [https://oauth.io](https://oauth.io/?utm_source=doorkeeper-gem)
 
+<br>
+
+<a href="https://www.wealthsimple.com/?utm_source=doorkeeper-gem" target="_blank"><img src="https://wealthsimple.s3.amazonaws.com/branding/medium-black.svg"/></a>
+
+> Wealthsimple is a financial company on a mission to help everyone achieve financial freedom by providing products and advice that are accessible and affordable. Using smart technology, Wealthsimple takes financial services that are often confusing, opaque and expensive and makes them simple, transparent, and low-cost. See what Investing on Autopilot is all about: [https://www.wealthsimple.com](https://www.wealthsimple.com/?utm_source=doorkeeper-gem)
+
 ## Development
 
 To run the local engine server:

data/app/controllers/doorkeeper/application_controller.rb

@@ -2,7 +2,7 @@
 
 module Doorkeeper
   class ApplicationController <
-    Doorkeeper.configuration.base_controller.constantize
+    Doorkeeper.configuration.resolve_controller(:base)
     include Helpers::Controller
 
     unless Doorkeeper.configuration.api_only

data/app/controllers/doorkeeper/application_metal_controller.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 module Doorkeeper
-  class ApplicationMetalController < ActionController::API
+  class ApplicationMetalController <
+    Doorkeeper.configuration.resolve_controller(:base_metal)
     include Helpers::Controller
 
     before_action :enforce_content_type,

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -12,7 +12,6 @@ module Doorkeeper
       end
     end
 
-    # TODO: Handle raise invalid authorization
     def create
       redirect_or_render authorize_response
     end
@@ -66,9 +65,16 @@ module Doorkeeper
     end
 
     def pre_auth
-      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration,
-                                                server.client_via_uid,
-                                                params)
+      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, pre_auth_params)
+    end
+
+    def pre_auth_params
+      params.slice(*pre_auth_param_fields).permit(*pre_auth_param_fields)
+    end
+
+    def pre_auth_param_fields
+      %i[client_id response_type redirect_uri scope state code_challenge
+         code_challenge_method]
     end
 
     def authorization
@@ -81,10 +87,11 @@ module Doorkeeper
 
     def authorize_response
       @authorize_response ||= begin
-        authorizable = pre_auth.authorizable?
-        before_successful_authorization if authorizable
+        return pre_auth.error_response unless pre_auth.authorizable?
+
+        before_successful_authorization
         auth = strategy.authorize
-        after_successful_authorization if authorizable
+        after_successful_authorization
         auth
       end
     end

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -88,7 +88,20 @@ module Doorkeeper
     end
 
     def authorize_response
-      @authorize_response ||= strategy.authorize
+      @authorize_response ||= begin
+        before_successful_authorization
+        auth = strategy.authorize
+        after_successful_authorization unless auth.is_a?(Doorkeeper::OAuth::ErrorResponse)
+        auth
+      end
+    end
+
+    def after_successful_authorization
+      Doorkeeper.configuration.after_successful_authorization.call(self)
+    end
+
+    def before_successful_authorization
+      Doorkeeper.configuration.before_successful_authorization.call(self)
     end
 
     def revocation_error_response

data/config/locales/en.yml

@@ -88,7 +88,11 @@ en:
     errors:
       messages:
         # Common error messages
-        invalid_request: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
+        invalid_request:
+          unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
+          missing_param: 'Missing required parameter: #{value}.'
+          not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
+          request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
         invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'

data/doorkeeper.gemspec

@@ -18,6 +18,14 @@ Gem::Specification.new do |gem|
   gem.test_files    = `git ls-files -- spec/*`.split("\n")
   gem.require_paths = ["lib"]
 
+  gem.metadata = {
+    "homepage_uri" => "https://github.com/doorkeeper-gem/doorkeeper",
+    "changelog_uri" => "https://github.com/doorkeeper-gem/doorkeeper/blob/master/CHANGELOG.md",
+    "source_code_uri" => "https://github.com/doorkeeper-gem/doorkeeper",
+    "bug_tracker_uri" => "https://github.com/doorkeeper-gem/doorkeeper/issues",
+    "documentation_uri" => "https://doorkeeper.gitbook.io/guides/",
+  }
+
   gem.add_dependency "railties", ">= 5"
   gem.required_ruby_version = ">= 2.4"
 

data/gemfiles/rails_6_0.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "rails", "~> 6.0.0.rc1"
+gem "rails", "~> 6.0.0"
 gem "rspec-core", git: "https://github.com/rspec/rspec-core.git"
 gem "rspec-expectations", git: "https://github.com/rspec/rspec-expectations.git"
 gem "rspec-mocks", git: "https://github.com/rspec/rspec-mocks.git"

data/lib/doorkeeper/config.rb

@@ -259,6 +259,32 @@ module Doorkeeper
     option :grant_flows,                    default: %w[authorization_code client_credentials]
     option :handle_auth_errors,             default: :render
 
+    # Allows to customize OAuth grant flows that +each+ application support.
+    # You can configure a custom block (or use a class respond to `#call`) that must
+    # return `true` in case Application instance supports requested OAuth grant flow
+    # during the authorization request to the server. This configuration +doesn't+
+    # set flows per application, it only allows to check if application supports
+    # specific grant flow.
+    #
+    # For example you can add an additional database column to `oauth_applications` table,
+    # say `t.array :grant_flows, default: []`, and store allowed grant flows that can
+    # be used with this application there. Then when authorization requested Doorkeeper
+    # will call this block to check if specific Application (passed with client_id and/or
+    # client_secret) is allowed to perform the request for the specific grant type
+    # (authorization, password, client_credentials, etc).
+    #
+    # Example of the block:
+    #
+    #   ->(flow, client) { client.grant_flows.include?(flow) }
+    #
+    # In case this option invocation result is `false`, Doorkeeper server returns
+    # :unauthorized_client error and stops the request.
+    #
+    # @param allow_grant_flow_for_client [Proc] Block or any object respond to #call
+    # @return [Boolean] `true` if allow or `false` if forbid the request
+    #
+    option :allow_grant_flow_for_client,    default: ->(_grant_flow, _client) { true }
+
     # Allows to forbid specific Application redirect URI's by custom rules.
     # Doesn't forbid any URI by default.
     #
@@ -288,7 +314,7 @@ module Doorkeeper
     option :force_ssl_in_redirect_uri,      default: !Rails.env.development?
 
     # Use a custom class for generating the access token.
-    # https://github.com/doorkeeper-gem/doorkeeper#custom-access-token-generator
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-access-token-generator
     #
     # @param access_token_generator [String]
     #   the name of the access token generator class
@@ -306,11 +332,20 @@ module Doorkeeper
 
     # The controller Doorkeeper::ApplicationController inherits from.
     # Defaults to ActionController::Base.
-    # https://github.com/doorkeeper-gem/doorkeeper#custom-base-controller
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller
     #
     # @param base_controller [String] the name of the base controller
     option :base_controller,
-           default: "ActionController::Base"
+           default: (lambda do
+             api_only ? "ActionController::API" : "ActionController::Base"
+           end)
+
+    # The controller Doorkeeper::ApplicationMetalController inherits from.
+    # Defaults to ActionController::API.
+    #
+    # @param base_metal_controller [String] the name of the base controller
+    option :base_metal_controller,
+           default: "ActionController::API"
 
     # Allows to set blank redirect URIs for Applications in case
     # server configured to use URI-less grant flows.
@@ -322,9 +357,10 @@ module Doorkeeper
            end)
 
     # Configure protection of token introspection request.
-    # By default token introspection is allowed only for clients that
-    # introspected token belongs to or if access token been introspected
-    # is a public one (doesn't belong to any client).
+    # By default this configuration allows to introspect a token by
+    # another token of the same application, or to introspect the token
+    # that belongs to authorized client, or access token has been introspected
+    # is a public one (doesn't belong to any client)
     #
     # You can define any custom rule you need or just disable token
     # introspection at all.
@@ -340,9 +376,11 @@ module Doorkeeper
     #   Bearer token used to authorize the request
     #
     option :allow_token_introspection,
-           default: (lambda do |token, authorized_client, _authorized_token|
-             if token.application
-               token.application == authorized_client
+           default: (lambda do |token, authorized_client, authorized_token|
+             if authorized_token
+               authorized_token.application == token&.application
+             elsif token.application
+               authorized_client == token.application
              else
                true
              end
@@ -381,6 +419,17 @@ module Doorkeeper
       @token_reuse_limit ||= 100
     end
 
+    def resolve_controller(name)
+      config_option = public_send(:"#{name}_controller")
+      controller_name = if config_option.respond_to?(:call)
+                          instance_exec(&config_option)
+                        else
+                          config_option
+                        end
+
+      controller_name.constantize
+    end
+
     def enforce_configured_scopes?
       option_set? :enforce_configured_scopes
     end
@@ -449,6 +498,12 @@ module Doorkeeper
       end
     end
 
+    def allow_grant_flow_for_client?(grant_flow, client)
+      return true unless option_defined?(:allow_grant_flow_for_client)
+
+      allow_grant_flow_for_client.call(grant_flow, client)
+    end
+
     def option_defined?(name)
       instance_variable_defined?("@#{name}")
     end

data/lib/doorkeeper/errors.rb

@@ -8,18 +8,6 @@ module Doorkeeper
       end
     end
 
-    class InvalidAuthorizationStrategy < DoorkeeperError
-      def type
-        :unsupported_response_type
-      end
-    end
-
-    class InvalidTokenReuse < DoorkeeperError
-      def type
-        :invalid_request
-      end
-    end
-
     class InvalidGrantReuse < DoorkeeperError
       def type
         :invalid_grant
@@ -32,7 +20,14 @@ module Doorkeeper
       end
     end
 
-    class MissingRequestStrategy < DoorkeeperError
+    class MissingRequiredParameter < DoorkeeperError
+      attr_reader :missing_param
+
+      def initialize(missing_param)
+        super
+        @missing_param = missing_param
+      end
+
       def type
         :invalid_request
       end
@@ -50,10 +45,10 @@ module Doorkeeper
     TokenGeneratorNotFound = Class.new(DoorkeeperError)
     NoOrmCleaner = Class.new(DoorkeeperError)
 
-    InvalidToken = Class.new BaseResponseError
-    TokenExpired = Class.new InvalidToken
-    TokenRevoked = Class.new InvalidToken
-    TokenUnknown = Class.new InvalidToken
-    TokenForbidden = Class.new InvalidToken
+    InvalidToken = Class.new(BaseResponseError)
+    TokenExpired = Class.new(InvalidToken)
+    TokenRevoked = Class.new(InvalidToken)
+    TokenUnknown = Class.new(InvalidToken)
+    TokenForbidden = Class.new(InvalidToken)
   end
 end

data/lib/doorkeeper/helpers/controller.rb

@@ -44,8 +44,12 @@ module Doorkeeper
       def get_error_response_from_exception(exception)
         if exception.respond_to?(:response)
           exception.response
+        elsif exception.type == :invalid_request
+          OAuth::InvalidRequestResponse.new(name: exception.type,
+                                            state: params[:state],
+                                            missing_param: exception.missing_param)
         else
-          OAuth::ErrorResponse.new name: exception.type, state: params[:state]
+          OAuth::ErrorResponse.new(name: exception.type, state: params[:state])
         end
       end
 
@@ -58,7 +62,7 @@ module Doorkeeper
 
       def skip_authorization?
         !!instance_exec(
-          [@server.current_resource_owner, @pre_auth.client],
+          [server.current_resource_owner, @pre_auth.client],
           &Doorkeeper.configuration.skip_authorization
         )
       end

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -76,9 +76,50 @@ module Doorkeeper
                             end
 
         tokens = authorized_tokens_for(application.try(:id), resource_owner_id)
-        tokens.detect do |token|
-          scopes_match?(token.scopes, scopes, application.try(:scopes))
+        find_matching_token(tokens, application, scopes)
+      end
+
+      # Interface to enumerate access token records in batches in order not
+      # to bloat the memory. Could be overloaded in any ORM extension.
+      #
+      def find_access_token_in_batches(relation, *args, &block)
+        relation.find_in_batches(*args, &block)
+      end
+
+      # Enumerates AccessToken records in batches to find a matching token.
+      # Batching is required in order not to pollute the memory if Application
+      # has huge amount of associated records.
+      #
+      # ActiveRecord 5.x - 6.x ignores custom ordering so we can't perform a
+      # database sort by created_at, so we need to load all the matching records,
+      # sort them and find latest one. Probably it would be better to rewrite this
+      # query using Time math if possible, but we n eed to consider ORM and
+      # different databases support.
+      #
+      # @param relation [ActiveRecord::Relation]
+      #   Access tokens relation
+      # @param application [Doorkeeper::Application]
+      #   Application instance
+      # @param scopes [String, Doorkeeper::OAuth::Scopes]
+      #   set of scopes
+      #
+      # @return [Doorkeeper::AccessToken, nil] Access Token instance or
+      #   nil if matching record was not found
+      #
+      def find_matching_token(relation, application, scopes)
+        return nil unless relation
+
+        matching_tokens = []
+
+        find_access_token_in_batches(relation) do |batch|
+          tokens = batch.select do |token|
+            scopes_match?(token.scopes, scopes, application.try(:scopes))
+          end
+
+          matching_tokens.concat(tokens)
         end
+
+        matching_tokens.max_by(&:created_at)
       end
 
       # Checks whether the token scopes match the scopes from the parameters

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -19,14 +19,10 @@ module Doorkeeper
           { action: :show, code: token.plaintext_token }
         end
 
-        def configuration
-          Doorkeeper.configuration
-        end
-
         private
 
         def authorization_code_expires_in
-          configuration.authorization_code_expires_in
+          Doorkeeper.configuration.authorization_code_expires_in
         end
 
         def access_grant_attributes

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -3,7 +3,8 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :attributes,   error: :invalid_request
+      validate :pkce_support, error: :invalid_request
+      validate :params,       error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
       # @see https://tools.ietf.org/html/rfc6749#section-5.2
@@ -12,6 +13,7 @@ module Doorkeeper
 
       attr_accessor :server, :grant, :client, :redirect_uri, :access_token,
                     :code_verifier
+      attr_reader :invalid_request_reason, :missing_param
 
       def initialize(server, grant, client, parameters = {})
         @server = server
@@ -24,10 +26,6 @@ module Doorkeeper
 
       private
 
-      def client_by_uid(parameters)
-        Doorkeeper::Application.by_uid(parameters[:client_id])
-      end
-
       def before_successful_response
         grant.transaction do
           grant.lock!
@@ -42,11 +40,22 @@ module Doorkeeper
         super
       end
 
-      def validate_attributes
-        return false if grant&.uses_pkce? && code_verifier.blank?
-        return false if grant && !grant.pkce_supported? && !code_verifier.blank?
+      def validate_pkce_support
+        @invalid_request_reason = :not_support_pkce if grant &&
+                                                       !grant.pkce_supported? &&
+                                                       code_verifier.present?
+
+        @invalid_request_reason.nil?
+      end
+
+      def validate_params
+        @missing_param = if grant&.uses_pkce? && code_verifier.blank?
+                           :code_verifier
+                         elsif redirect_uri.blank?
+                           :redirect_uri
+                         end
 
-        redirect_uri.present?
+        @missing_param.nil?
       end
 
       def validate_client

data/lib/doorkeeper/oauth/base_request.rb

@@ -15,6 +15,8 @@ module Doorkeeper
           @response = TokenResponse.new(access_token)
           after_successful_response
           @response
+        elsif error == :invalid_request
+          @response = InvalidRequestResponse.from_request(self)
         else
           @response = ErrorResponse.from_request(self)
         end

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -5,11 +5,25 @@ module Doorkeeper
     class ClientCredentialsRequest < BaseRequest
       class Creator
         def call(client, scopes, attributes = {})
+          existing_token = existing_token_for(client, scopes)
+
+          if Doorkeeper.configuration.reuse_access_token && existing_token&.reusable?
+            return existing_token
+          end
+
+          existing_token&.revoke
+
           AccessToken.find_or_create_for(
             client, nil, scopes, attributes[:expires_in],
             attributes[:use_refresh_token]
           )
         end
+
+        private
+
+        def existing_token_for(client, scopes)
+          Doorkeeper::AccessToken.matching_token_for client, nil, scopes
+        end
       end
     end
   end