doorkeeper 5.3.3 → 5.6.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d3ed9e21e9d404f1c7f67a48a36a5745d9a5a7aca05b9ae63fbd10c6d170ac1
-  data.tar.gz: 21ab4db448c9404a7067e8223433a8aa2ecfe955fd3729e7038efafd616c4237
+  metadata.gz: b62a0472a97d06b40362817c9d5c0dd7dd6e0d0e600437a19f5cf2fd18c4be46
+  data.tar.gz: 9850cef14c21a1f0df2fb451a485ab5b8066360a3008124f7aed287409364e36
 SHA512:
-  metadata.gz: a03ea8dbf25bc5d48f2fa92942c73dfefa74978d16229b79f1f6d691e0d591ecdc08be84bc243139a1a4df50091fde2d039f5dcae65a8250477e309a31ad054d
-  data.tar.gz: 7f6445f2beb910ba6b3cdeebd5d0d265986f49bb400ccccdbd811f7be8e34e5e029e07acfe22330729fe9065169b1807a4c98094abf3d247fe7175a1cd52daf5
+  metadata.gz: de0c7021c4735b26249e5b267db11ede06f55b23d8f9bd51641d1cf3eee3812e14a2deec986e8aa6ee81de98097083fdb634a441fd4928cb47286fa977ba5d96
+  data.tar.gz: 3865639c837771ceeafceec8a110e506f88fef45c61f7274782c637e794f9185be18ee98270852bac6fecb0fc90e4893dfed08d715c761507e87396e5a559bc2

data/CHANGELOG.md

@@ -5,20 +5,201 @@ upgrade guides.
 
 User-visible changes worth mentioning.
 
-## 5.3.3
+## main
 
-- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+- [#ID] Add your PR description here.
 
-## 5.3.2
+## 5.6.6
 
-- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+- [#1644] Update HTTP headers.
+- [#1646] Block public clients automatic authorization skip.
+- [#1648] Add custom token attributes to Refresh Token Request.
+- [#1649] Fixed custom_access_token_attributes related errors.
+
+# 5.6.5
+
+- [#1602] Allow custom data to be stored inside access grants/tokens.
+- [#1634] Code refactoring for custom token attributes.
+- [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.
+
+# 5.6.4
+
+- [#1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.
+
+# 5.6.3
+
+- [#1622] Drop support for Rubies 2.5 and 2.6
+- [#1605] Fix URI validation for Ruby 3.2+.
+- [#1625] Exclude endless access tokens from `StaleRecordsCleaner`.
+- [#1626] Remove deprecated `active_record_options` config option.
+- [#1631] Fix regression with redirect behavior after token lookup optimizations (redirect to app URI when found).
+- [#1630] Special case unique index creation for refresh_token on SQL Server.
+- [#1627] Lazy evaluate Doorkeeper config when loading files and executing initializers.
+
+## 5.6.2
+
+- [#1604] Fix fetching of the application when custom application_class defined.
+
+## 5.6.1
+
+- [#1593] Add support for Trilogy ActiveRecord adapter.
+- [#1597] Add optional support to use the url path for the native authorization code flow. Ports forward [#1143] from 4.4.3
+- [#1599] Remove unnecessarily re-fetch of application object when creating an access token.
+
+## 5.6.0
+
+- [#1581] Consider `token_type_hint` when searching for access token in TokensController to avoid extra database calls.
+
+## 5.6.0.rc2
+
+- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
+  application scopes when using client credentials.
+- [#1567] Only filter `code` parameter if authorization_code grant flow is enabled.
+
+## 5.6.0.rc1
+
+- [#1551] Change lazy loading for ORM to be Ruby standard autoload.
+- [#1552] Remove duplicate IDs on Auth form to improve accessibility.
+- [#1542] Improve performance of `Doorkeeper::AccessToken#matching_token_for` using database specific SQL time math.
+
+  **[IMPORTANT]**: API of the `Doorkeeper::AccessToken#matching_token_for` method has changed and now it returns
+  only **active** access tokens (previously they were just not revoked). Please remember that the idea of the
+  `reuse_access_token` option is to check for existing _active_ token (see configuration option description).
+
+## 5.5.4
+
+- [#1535] Revert changes introduced in #1528 to allow query params in `redirect_uri` as per the spec.
+
+## 5.5.3
+
+- [#1528] Don't allow extra query params in redirect_uri.
+- [#1525] I18n source for forbidden token error is now `doorkeeper.errors.messages.forbidden_token.missing_scope`.
+- [#1531] Disable `strict-loading` for Doorkeeper models by default.
+- [#1532] Add support for Rails 7.
+
+## 5.5.2
+
+- [#1502] Drop support for Ruby 2.4 because of EOL.
+- [#1504] Updated the url fragment in the comment for code documentation.
+- [#1512] Fix form behavior when response mode is form_post.
+- [#1511] Fix that authorization code is returned by fragment if response_mode is fragment.
+
+## 5.5.1
+
+- [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
+- [#1495] Fix `respond_to` undefined in API-only mode
+- [#1488] Verify client authentication for Resource Owner Password Grant when
+  `config.skip_client_authentication_for_password_grant` is set and the client credentials
+  are sent in a HTTP Basic auth header.
+
+## 5.5.0
+
+- [#1482] Simplify `TokenInfoController` to be overridable (extract response rendering).
+- [#1478] Fix ownership association and Rake tasks when custom models configured.
+- [#1477] Respect `ActiveRecord::Base.pluralize_table_names` for Doorkeeper table names.
+
+## 5.5.0.rc2
+
+- [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
+
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
+    `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
+
+- [#1472] Fix `establish_connection` configuration for custom defined models.
+- [#1471] Add support for Ruby 3.0.
+- [#1469] Check if `redirect_uri` exists.
+- [#1465] Memoize nil doorkeeper_token.
+- [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
+- [#1457] Make owner_id a bigint for newly-generated owner migrations
+- [#1452] Empty previous_refresh_token only if present.
+- [#1440] Validate empty host in redirect_uri.
+- [#1438] Add form post response mode.
+- [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
+
+## 5.5.0.rc1
+
+- [#1435] Make error response not redirectable when client is unauthorized
+- [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
+- [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
+- [#1416] Don't add introspection route if token introspection completely disabled.
+- [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
+- [#1415] Ignore PKCE params for non-PKCE grants.
+- [#1418] Add ability to register custom OAuth Grant Flows.
+- [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
+
+  **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
+    have it before and use client credentials in HTTP Basic auth if you previously used this grant
+    flow without client authentication. To opt out of this you could set the
+    `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
+    this is in violation of the OAuth spec and represents a security risk.
+    All the users of your provider application now need to include client credentials when they use
+    this grant flow.
+
+- [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
+  configuration option to allow resource owner based Access Tokens TTL.
+
+## 5.4.0
+
+- [#1404] Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.4.0.rc2
+
+- [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
   Fixes information disclosure vulnerability (CVE-2020-10187).
-  
+
   **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
   if you previously used `#to_json` serialization with custom options or attributes or rely on
   JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
   is a breaking change which restricts serialized attributes to a very small set of columns.
 
+- [#1395] Fix `NameError: uninitialized constant Doorkeeper::AccessToken` for Rake tasks.
+- [#1397] Add `as: :doorkeeper_application` on Doorkeeper application form in order to support
+  custom configured application model.
+- [#1400] Correctly yield the application instance to `allow_grant_flow_for_client?` config
+  option (fixes #1398).
+- [#1402] Handle trying authorization with client credentials.
+
+## 5.4.0.rc1
+- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
+- [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
+- [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
+  models (`use_polymorphic_resource_owner` configuration option).
+
+  **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
+  have such - since now Doorkeeper passes Resource Owner instance to every objects and not
+  just it's ID. See PR description for details.
+
+- [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
+- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
+  `Stack level too deep` error with AMS (fix #1312).
+- [#1358] Deprecate `active_record_options` configuration option.
+- [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
+  in external extensions.
+- [#1360] Increase `matching_token_for` lookup size to 10 000 and make it configurable.
+- [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.
+- [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).
+
+  **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
+  (for public clients) and `client_secret` (for private clients). Please update your apps to include that
+  info in the revocation request payload.
+
+- [#1373] Make Doorkeeper routes mapper reusable in extensions.
+- [#1374] Revoke and issue client credentials token in a transaction with a row lock.
+- [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
+- [#1387] Add `AccessToken#create_for` and use in `RefreshTokenRequest`.
+- [#1392] Fix `enable_polymorphic_resource_owner` migration template to have proper index name.
+- [#1393] Improve Applications #show page with more informative data on client secret and scopes.
+- [#1394] Use Ruby `autoload` feature to load Doorkeeper files.
+
+## 5.3.3
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.3.2
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.3.1
 
 - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
@@ -37,9 +218,18 @@ User-visible changes worth mentioning.
   If you were relying on access tokens being revoked once the same client
   requested a new access token, reenable it with `revoke_previous_client_credentials_token` in Doorkeeper
   initialization file.
-  
+
+## 5.2.6
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.2.5
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.2.4
-  
+
 - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
 
 ## 5.2.3
@@ -70,6 +260,9 @@ User-visible changes worth mentioning.
 - [#1298] Slice strong params so doesn't error with Rails forms.
 - [#1300] Limiting access to attributes of pre_authorization.
 - [#1296] Adding client_id to strong parameters.
+
+  **[IMPORTANT]** `Doorkeeper::Server#client_via_uid` was removed.
+
 - [#1293] Move ar specific redirect uri validator to ar orm directory.
 - [#1288] Allow to pass attributes to the `Doorkeeper::OAuth::PreAuthorization#as_json` method to customize
   the PreAuthorization response.
@@ -102,6 +295,15 @@ User-visible changes worth mentioning.
 - [#1248] Return the unhashed Application Secret in the JSON response after creating new application even when `hash_application_secrets` is used.
 - [#1238] Better support for native app with support for custom scheme and localhost redirection.
 
+## 5.1.2
+
+- [#1404] Backport: Make `Doorkeeper::Application#read_attribute_for_serialization` public.
+
+## 5.1.1
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.1.0
 
 - [#1243] Add nil check operator in token checking at token introspection.
@@ -109,7 +311,7 @@ User-visible changes worth mentioning.
 - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
 - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
 - [#1228] Allow to explicitly set non-expiring tokens in `custom_access_token_expires_in` configuration
-  option using `Float::INIFINITY` return value.
+  option using `Float::INFINITY` return value.
 - [#1224] Do not try to store token if not found by fallback hashing strategy.
 - [#1223] Update Hound/Rubocop rules, correct Doorkeeper codebase to follow style-guides.
 - [#1220] Drop Rails 4.2 & Ruby < 2.4 support.
@@ -163,6 +365,11 @@ User-visible changes worth mentioning.
 - [#1164] Fix error when `root_path` is not defined.
 - [#1162] Fix `enforce_content_type` for requests without body.
 
+## 5.0.3
+
+- [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
+  Fixes information disclosure vulnerability (CVE-2020-10187).
+
 ## 5.0.2
 
 - [#1158] Fix initializer template: change `handle_auth_errors` option
@@ -189,7 +396,7 @@ User-visible changes worth mentioning.
 - [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
   hitting the `AuthorizedApplicationController#destroy` route.
 - [#1114] Make token info endpoint's attributes consistent with token creation
-- [#1108] Simple formating of callback URLs when listing oauth applications
+- [#1108] Simple formatting of callback URLs when listing oauth applications
 - [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
   configured by developers.
 

data/README.md

@@ -1,12 +1,11 @@
 # Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app.
 
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
-[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=master)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
+[![CI](https://github.com/doorkeeper-gem/doorkeeper/actions/workflows/ci.yml/badge.svg)](https://github.com/doorkeeper-gem/doorkeeper/actions/workflows/ci.yml)
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
-[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=master)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=master)
-[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/master)
+[![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=main)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=main)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
-[![GuardRails badge](https://badges.production.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
+[![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
 
 Doorkeeper is a gem (Rails engine) that makes it easy to introduce OAuth 2 provider
@@ -14,18 +13,18 @@ functionality to your Ruby on Rails or Grape application.
 
 Supported features:
 
-- [The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)
-  - [Authorization Code Flow](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1)
-  - [Access Token Scopes](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3)
-  - [Refresh token](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5)
-  - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
-  - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
-  - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
-- [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
-- [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
-- [OAuth 2.0 Threat Model and Security Considerations](http://tools.ietf.org/html/rfc6819)
-- [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10)
-- [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
+- [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749)
+  - [Authorization Code Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1)
+  - [Access Token Scopes](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3)
+  - [Refresh token](https://datatracker.ietf.org/doc/html/rfc6749#section-1.5)
+  - [Implicit grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.2)
+  - [Resource Owner Password Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)
+  - [Client Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4)
+- [OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009)
+- [OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662)
+- [OAuth 2.0 Threat Model and Security Considerations](https://datatracker.ietf.org/doc/html/rfc6819)
+- [OAuth 2.0 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252)
+- [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636)
 
 ## Table of Contents
 
@@ -51,7 +50,7 @@ Supported features:
 
 ## Documentation
 
-This documentation is valid for `master` branch. Please check the documentation for the version of doorkeeper you are using in:
+This documentation is valid for `main` branch. Please check the documentation for the version of doorkeeper you are using in:
 https://github.com/doorkeeper-gem/doorkeeper/releases.
 
 Additionally, other resources can be found on:
@@ -106,6 +105,8 @@ Extensions that are not included by default and can be installed separately.
 | JWT Token support | [doorkeeper-gem/doorkeeper-jwt](https://github.com/doorkeeper-gem/doorkeeper-jwt) |
 | Assertion grant extension | [doorkeeper-gem/doorkeeper-grants\_assertion](https://github.com/doorkeeper-gem/doorkeeper-grants_assertion) |
 | I18n translations | [doorkeeper-gem/doorkeeper-i18n](https://github.com/doorkeeper-gem/doorkeeper-i18n) |
+| CIBA - Client Initiated Backchannel Authentication Flow extension | [doorkeeper-ciba](https://github.com/autoseg/doorkeeper-ciba) |
+| Device Authorization Grant | [doorkeeper-device_authorization_grant](https://github.com/exop-group/doorkeeper-device_authorization_grant) |
 
 ## Example Applications
 
@@ -113,7 +114,7 @@ These applications show how Doorkeeper works and how to integrate with it. Start
 
 | Application | Link |
 | :--- | :--- |
-| oAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
+| OAuth2 Server with Doorkeeper | [doorkeeper-gem/doorkeeper-provider-app](https://github.com/doorkeeper-gem/doorkeeper-provider-app) |
 | Sinatra Client connected to Provider App | [doorkeeper-gem/doorkeeper-sinatra-client](https://github.com/doorkeeper-gem/doorkeeper-sinatra-client) |
 | Devise + Omniauth Client | [doorkeeper-gem/doorkeeper-devise-client](https://github.com/doorkeeper-gem/doorkeeper-devise-client) |
 
@@ -134,6 +135,12 @@ See [list of tutorials](https://github.com/doorkeeper-gem/doorkeeper/wiki#how-to
 
 Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/doorkeeper-gem#sponsor)]
 
+<a href="https://codecademy.com/about/careers?utm_source=doorkeeper-gem" target="_blank"><img src="https://static-assets.codecademy.com/marketing/codecademy_logo_padded.png"/></a>
+
+> Codecademy supports open source as part of its mission to democratize tech. Come help us build the education the world deserves: [https://codecademy.com/about/careers](https://codecademy.com/about/careers?utm_source=doorkeeper-gem)
+
+<br>
+
 <a href="https://oauth.io/?utm_source=doorkeeper-gem" target="_blank"><img src="https://oauth.io/img/logo_text.png"/></a>
 
 > If you prefer not to deal with the gory details of OAuth 2, need dedicated customer support & consulting, try the cloud-based SaaS version: [https://oauth.io](https://oauth.io/?utm_source=doorkeeper-gem)
@@ -160,6 +167,9 @@ tests with a specific Rails version:
 BUNDLE_GEMFILE=gemfiles/rails_6_0.gemfile bundle exec rake
 ```
 
+You can also experiment with the changes using `bin/console`. It uses in-memory SQLite database and default
+Doorkeeper config, but you can reestablish connection or reconfigure the gem if you need.
+
 ## Contributing
 
 Want to contribute and don't know where to start? Check out [features we're
@@ -168,8 +178,7 @@ create [example
 apps](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications),
 integrate the gem with your app and let us know!
 
-Also, check out our [contributing guidelines
-page](https://github.com/doorkeeper-gem/doorkeeper/wiki/Contributing).
+Also, check out our [contributing guidelines page](CONTRIBUTING.md).
 
 ## Contributors
 
@@ -180,4 +189,4 @@ contributors](https://github.com/doorkeeper-gem/doorkeeper/graphs/contributors)!
 
 ## License
 
-MIT License. Copyright 2011 Applicake.
+MIT License. Created in Applicake. Maintained by the community.

data/app/controllers/doorkeeper/application_controller.rb

@@ -4,6 +4,7 @@ module Doorkeeper
   class ApplicationController <
     Doorkeeper.config.resolve_controller(:base)
     include Helpers::Controller
+    include ActionController::MimeResponds if Doorkeeper.config.api_only
 
     unless Doorkeeper.config.api_only
       protect_from_forgery with: :exception

data/app/controllers/doorkeeper/applications_controller.rb

@@ -8,7 +8,7 @@ module Doorkeeper
     before_action :set_application, only: %i[show edit update destroy]
 
     def index
-      @applications = Application.ordered_by(:created_at)
+      @applications = Doorkeeper.config.application_model.ordered_by(:created_at)
 
       respond_to do |format|
         format.html
@@ -24,11 +24,11 @@ module Doorkeeper
     end
 
     def new
-      @application = Application.new
+      @application = Doorkeeper.config.application_model.new
     end
 
     def create
-      @application = Application.new(application_params)
+      @application = Doorkeeper.config.application_model.new(application_params)
 
       if @application.save
         flash[:notice] = I18n.t(:notice, scope: %i[doorkeeper flash applications create])
@@ -84,7 +84,7 @@ module Doorkeeper
     private
 
     def set_application
-      @application = Application.find(params[:id])
+      @application = Doorkeeper.config.application_model.find(params[:id])
     end
 
     def application_params

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -13,18 +13,26 @@ module Doorkeeper
     end
 
     def create
-      redirect_or_render authorize_response
+      redirect_or_render(authorize_response)
     end
 
     def destroy
-      redirect_or_render authorization.deny
+      redirect_or_render(authorization.deny)
+    rescue Doorkeeper::Errors::InvalidTokenStrategy => e
+      error_response = get_error_response_from_exception(e)
+
+      if Doorkeeper.configuration.api_only
+        render json: error_response.body, status: :bad_request
+      else
+        render :error, locals: { error_response: error_response }
+      end
     end
 
     private
 
     def render_success
-      if skip_authorization? || matching_token?
-        redirect_or_render authorize_response
+      if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?)
+        redirect_or_render(authorize_response)
       elsif Doorkeeper.configuration.api_only
         render json: pre_auth
       else
@@ -37,14 +45,16 @@ module Doorkeeper
         render json: pre_auth.error_response.body,
                status: :bad_request
       else
-        render :error
+        render :error, locals: { error_response: pre_auth.error_response }
       end
     end
 
+    # Active access token issued for the same client and resource owner with
+    # the same set of the scopes exists?
     def matching_token?
-      AccessToken.matching_token_for(
+      Doorkeeper.config.access_token_model.matching_token_for(
         pre_auth.client,
-        current_resource_owner.id,
+        current_resource_owner,
         pre_auth.scopes,
       )
     end
@@ -52,12 +62,21 @@ module Doorkeeper
     def redirect_or_render(auth)
       if auth.redirectable?
         if Doorkeeper.configuration.api_only
-          render(
-            json: { status: :redirect, redirect_uri: auth.redirect_uri },
-            status: auth.status,
-          )
+          if pre_auth.form_post_response?
+            render(
+              json: { status: :post, redirect_uri: pre_auth.redirect_uri, body: auth.body },
+              status: auth.status,
+            )
+          else
+            render(
+              json: { status: :redirect, redirect_uri: auth.redirect_uri },
+              status: auth.status,
+            )
+          end
+        elsif pre_auth.form_post_response?
+          render :form_post
         else
-          redirect_to auth.redirect_uri
+          redirect_to auth.redirect_uri, allow_other_host: true
         end
       else
         render json: auth.body, status: auth.status
@@ -65,7 +84,11 @@ module Doorkeeper
     end
 
     def pre_auth
-      @pre_auth ||= OAuth::PreAuthorization.new(Doorkeeper.configuration, pre_auth_params)
+      @pre_auth ||= OAuth::PreAuthorization.new(
+        Doorkeeper.configuration,
+        pre_auth_params,
+        current_resource_owner,
+      )
     end
 
     def pre_auth_params
@@ -73,8 +96,20 @@ module Doorkeeper
     end
 
     def pre_auth_param_fields
-      %i[client_id response_type redirect_uri scope state code_challenge
-         code_challenge_method]
+      custom_access_token_attributes + %i[
+        client_id
+        code_challenge
+        code_challenge_method
+        response_type
+        response_mode
+        redirect_uri
+        scope
+        state
+      ]
+    end
+
+    def custom_access_token_attributes
+      Doorkeeper.config.custom_access_token_attributes.map(&:to_sym)
     end
 
     def authorization
@@ -82,26 +117,35 @@ module Doorkeeper
     end
 
     def strategy
-      @strategy ||= server.authorization_request pre_auth.response_type
+      @strategy ||= server.authorization_request(pre_auth.response_type)
     end
 
     def authorize_response
       @authorize_response ||= begin
         return pre_auth.error_response unless pre_auth.authorizable?
 
-        before_successful_authorization
+        context = build_context(pre_auth: pre_auth)
+        before_successful_authorization(context)
+
         auth = strategy.authorize
-        after_successful_authorization
+
+        context = build_context(auth: auth)
+        after_successful_authorization(context)
+
         auth
       end
     end
 
-    def after_successful_authorization
-      Doorkeeper.configuration.after_successful_authorization.call(self)
+    def build_context(**attributes)
+      Doorkeeper::OAuth::Hooks::Context.new(**attributes)
+    end
+
+    def before_successful_authorization(context = nil)
+      Doorkeeper.config.before_successful_authorization.call(self, context)
     end
 
-    def before_successful_authorization
-      Doorkeeper.configuration.before_successful_authorization.call(self)
+    def after_successful_authorization(context)
+      Doorkeeper.config.after_successful_authorization.call(self, context)
     end
   end
 end

data/app/controllers/doorkeeper/authorized_applications_controller.rb

@@ -5,7 +5,7 @@ module Doorkeeper
     before_action :authenticate_resource_owner!
 
     def index
-      @applications = Application.authorized_for(current_resource_owner)
+      @applications = Doorkeeper.config.application_model.authorized_for(current_resource_owner)
 
       respond_to do |format|
         format.html
@@ -14,7 +14,7 @@ module Doorkeeper
     end
 
     def destroy
-      Application.revoke_tokens_and_grants_for(
+      Doorkeeper.config.application_model.revoke_tokens_and_grants_for(
         params[:id],
         current_resource_owner,
       )
@@ -26,7 +26,7 @@ module Doorkeeper
           )
         end
 
-        format.json { render :no_content }
+        format.json { head :no_content }
       end
     end
   end

data/app/controllers/doorkeeper/token_info_controller.rb

@@ -4,12 +4,22 @@ module Doorkeeper
   class TokenInfoController < Doorkeeper::ApplicationMetalController
     def show
       if doorkeeper_token&.accessible?
-        render json: doorkeeper_token, status: :ok
+        render json: doorkeeper_token_to_json, status: :ok
       else
         error = OAuth::InvalidTokenResponse.new
         response.headers.merge!(error.headers)
-        render json: error.body, status: error.status
+        render json: error_to_json(error), status: error.status
       end
     end
+
+    protected
+
+    def doorkeeper_token_to_json
+      doorkeeper_token
+    end
+
+    def error_to_json(error)
+      error.body
+    end
   end
 end