doorkeeper 5.5.0.rc1 → 5.5.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1099136de2b2fe0f0443f88bdbe2260ebed52efb2aab31d1d35bb7aa9f801acd
-  data.tar.gz: '09837820494b55d6bd26e2d997c203b221bc7951e74a6d1e2197122a86f0f1b2'
+  metadata.gz: 71ef97409e242e0609d9c327836e2f90f92af440c8f989047b83435f7f8b052d
+  data.tar.gz: f12a030d12ca321fbf1b0acd4534707afba6c584b77d307698943a879cd33500
 SHA512:
-  metadata.gz: 9197207fe8db140d8658aa12cd7422bfd84a001227a9f0841ebf5d92da4be531cfd7dea26aad584fff3573bc066b8fadc4e9d4e70bcc6dd5978253d94a9d66a4
-  data.tar.gz: 3b37c794027fcdbec12ef314bd6a927e111c2aed2044f3ead9f05893400e7221bf9adf98203efe7a225b395d5644326b943c144c13fb0caeccff5dff20a56ca5
+  metadata.gz: bdda34cda76caffdeaec38be0c06ba733cc15480970bd78b48267c66764a64643423d61a2adb6c1c65643d3df2061ab3d86ad82baf970676276d7b1655fb846b
+  data.tar.gz: 8218ad9ad8248192f93253940623564784f339b78594cf00c000c33f9a6a9bd06f6cc5ee9fbcc207d4af3b499712387d39756c7ef6c709e9a7afe991efdfa5af

data/CHANGELOG.md

@@ -9,6 +9,24 @@ User-visible changes worth mentioning.
 
 - [#PR ID] Add your PR description here.
 
+## 5.5.0.rc2
+
+- [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
+  
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in 
+    `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
+  
+- [#1472] Fix `establish_connection` configuration for custom defined models.
+- [#1471] Add support for Ruby 3.0.
+- [#1469] Check if `redirect_uri` exists.
+- [#1465] Memoize nil doorkeeper_token.
+- [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
+- [#1457] Make owner_id a bigint for newly-generated owner migrations
+- [#1452] Empty previous_refresh_token only if present.
+- [#1440] Validate empty host in redirect_uri.
+- [#1438] Add form post response mode.
+- [#1458] Make `config.skip_client_authentication_for_password_grant` a long term configuration option.
+
 ## 5.5.0.rc1
 
 - [#1435] Make error response not redirectable when client is unauthorized
@@ -19,12 +37,12 @@ User-visible changes worth mentioning.
 - [#1415] Ignore PKCE params for non-PKCE grants.
 - [#1418] Add ability to register custom OAuth Grant Flows.
 - [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
-  
-  **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if yoo didn't
+
+  **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if you didn't
     have it before and use client credentials in HTTP Basic auth if you previously used this grant
-    flow without client authentication. For migration purposes you could enable
-    `skip_client_authentication_for_password_grant` configuration option to `true`, but such behavior
-    (as well as configuration option) would be completely removed in a future version of Doorkeeper.
+    flow without client authentication. To opt out of this you could set the
+    `skip_client_authentication_for_password_grant` configuration option to `true`, but note that
+    this is in violation of the OAuth spec and represents a security risk.
     All the users of your provider application now need to include client credentials when they use
     this grant flow.
 
@@ -39,7 +57,7 @@ User-visible changes worth mentioning.
 
 - [#1371] Add `#as_json` method and attributes serialization restriction for Application model.
   Fixes information disclosure vulnerability (CVE-2020-10187).
-  
+
   **[IMPORTANT]** you need to re-implement `#as_json` method for Doorkeeper Application model
   if you previously used `#to_json` serialization with custom options or attributes or rely on
   JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
@@ -53,17 +71,17 @@ User-visible changes worth mentioning.
 - [#1402] Handle trying authorization with client credentials.
 
 ## 5.4.0.rc1
-- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364) 
+- [#1366] Sets expiry of token generated using `refresh_token` to that of original token. (Fixes #1364)
 - [#1354] Add `authorize_resource_owner_for_client` option to authorize the calling user to access an application.
 - [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
   models (`use_polymorphic_resource_owner` configuration option).
-  
+
   **[IMPORTANT]** Review your custom patches or extensions for Doorkeeper internals if you
   have such - since now Doorkeeper passes Resource Owner instance to every objects and not
   just it's ID. See PR description for details.
-  
+
 - [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.
-- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing 
+- [#1357] Fix `Doorkeeper::OAuth::PreAuthorization#as_json` method causing
   `Stack level too deep` error with AMS (fix #1312).
 - [#1358] Deprecate `active_record_options` configuration option.
 - [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
@@ -75,7 +93,7 @@ User-visible changes worth mentioning.
   **[IMPORTANT]** now fully according to RFC 7009 nobody can do a revocation request without `client_id`
   (for public clients) and `client_secret` (for private clients). Please update your apps to include that
   info in the revocation request payload.
-  
+
 - [#1373] Make Doorkeeper routes mapper reusable in extensions.
 - [#1374] Revoke and issue client credentials token in a transaction with a row lock.
 - [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.
@@ -120,9 +138,9 @@ User-visible changes worth mentioning.
 
 - [#1371] Backport: add `#as_json` method and attributes serialization restriction for Application model.
   Fixes information disclosure vulnerability (CVE-2020-10187).
-  
+
 ## 5.2.4
-  
+
 - [#1360] Backport: Increase `matching_token_for` batch lookup size to 10 000 and make it configurable.
 
 ## 5.2.3

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -52,10 +52,19 @@ module Doorkeeper
     def redirect_or_render(auth)
       if auth.redirectable?
         if Doorkeeper.configuration.api_only
-          render(
-            json: { status: :redirect, redirect_uri: auth.redirect_uri },
-            status: auth.status,
-          )
+          if pre_auth.form_post_response?
+            render(
+              json: { status: :post, redirect_uri: pre_auth.redirect_uri, body: auth.body },
+              status: auth.status,
+            )
+          else
+            render(
+              json: { status: :redirect, redirect_uri: auth.redirect_uri },
+              status: auth.status,
+            )
+          end
+        elsif pre_auth.form_post_response?
+          render :form_post
         else
           redirect_to auth.redirect_uri
         end
@@ -82,6 +91,7 @@ module Doorkeeper
         code_challenge
         code_challenge_method
         response_type
+        response_mode
         redirect_uri
         scope
         state

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -2,6 +2,8 @@
 
 module Doorkeeper
   class TokensController < Doorkeeper::ApplicationMetalController
+    before_action :validate_presence_of_client, only: [:revoke]
+
     def create
       headers.merge!(authorize_response.headers)
       render json: authorize_response.body,
@@ -12,32 +14,6 @@ module Doorkeeper
 
     # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
     def revoke
-      # @see 2.1.  Revocation Request
-      #
-      #  The client constructs the request by including the following
-      #  parameters using the "application/x-www-form-urlencoded" format in
-      #  the HTTP request entity-body:
-      #     token   REQUIRED.
-      #     token_type_hint  OPTIONAL.
-      #
-      #  The client also includes its authentication credentials as described
-      #  in Section 2.3. of [RFC6749].
-      #
-      #  The authorization server first validates the client credentials (in
-      #  case of a confidential client) and then verifies whether the token
-      #  was issued to the client making the revocation request.
-      unless server.client
-        # If this validation [client credentials / token ownership] fails, the request is
-        # refused and the  client is informed of the error by the authorization server as
-        # described below.
-        #
-        # @see 2.2.1.  Error Response
-        #
-        # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
-        render json: revocation_error_response, status: :forbidden
-        return
-      end
-
       # The authorization server responds with HTTP status code 200 if the client
       # submitted an invalid token or the token has been revoked successfully.
       if token.blank?
@@ -68,6 +44,35 @@ module Doorkeeper
 
     private
 
+    def validate_presence_of_client
+      return if Doorkeeper.config.skip_client_authentication_for_password_grant
+
+      # @see 2.1.  Revocation Request
+      #
+      #  The client constructs the request by including the following
+      #  parameters using the "application/x-www-form-urlencoded" format in
+      #  the HTTP request entity-body:
+      #     token   REQUIRED.
+      #     token_type_hint  OPTIONAL.
+      #
+      #  The client also includes its authentication credentials as described
+      #  in Section 2.3. of [RFC6749].
+      #
+      #  The authorization server first validates the client credentials (in
+      #  case of a confidential client) and then verifies whether the token
+      #  was issued to the client making the revocation request.
+      return if server.client
+
+      # If this validation [client credentials / token ownership] fails, the request is
+      # refused and the  client is informed of the error by the authorization server as
+      # described below.
+      #
+      # @see 2.2.1.  Error Response
+      #
+      # The error presentation conforms to the definition in Section 5.2 of [RFC6749].
+      render json: revocation_error_response, status: :forbidden
+    end
+
     # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
     #
     # RFC7009

data/app/views/doorkeeper/applications/show.html.erb

@@ -35,18 +35,22 @@
 
     <h4><%= t('.callback_urls') %>:</h4>
 
-    <table>
-      <% @application.redirect_uri.split.each do |uri| %>
-        <tr>
-          <td>
-            <code class="bg-light"><%= uri %></code>
-          </td>
-          <td>
-            <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>
-          </td>
-        </tr>
-      <% end %>
-    </table>
+    <% if @application.redirect_uri.present? %>
+      <table>
+        <% @application.redirect_uri.split.each do |uri| %>
+          <tr>
+            <td>
+              <code class="bg-light"><%= uri %></code>
+            </td>
+            <td>
+              <%= link_to t('doorkeeper.applications.buttons.authorize'), oauth_authorization_path(client_id: @application.uid, redirect_uri: uri, response_type: 'code', scope: @application.scopes), class: 'btn btn-success', target: '_blank' %>
+            </td>
+          </tr>
+        <% end %>
+      </table>
+    <% else %>
+      <span class="bg-light font-italic text-uppercase text-muted"><%= t('.not_defined') %></span>
+    <% end %>
   </div>
 
   <div class="col-md-4">

data/app/views/doorkeeper/authorizations/form_post.html.erb

@@ -0,0 +1,11 @@
+<header class="page-header">
+  <h1><%= t('.title') %></h1>
+</header>
+
+<main role="main" onload="document.forms[0].submit()">
+  <%= form_tag @pre_auth.redirect_uri, method: :post do %>
+    <% @authorize_response.body.each do |key, value| %>
+      <%= hidden_field_tag key, value %>
+    <% end %>
+  <% end %>
+</main>

data/config/locales/en.yml

@@ -72,6 +72,8 @@ en:
         able_to: 'This application will be able to'
       show:
         title: 'Authorization code'
+      form_post:
+        title: 'Submit this form'
 
     authorized_applications:
       confirmations:
@@ -109,6 +111,7 @@ en:
 
         # Access grant errors
         unsupported_response_type: 'The authorization server does not support this response type.'
+        unsupported_response_mode: 'The authorization server does not support this response mode.'
 
         # Access token errors
         invalid_client: 'Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.'

data/lib/doorkeeper.rb

@@ -115,4 +115,8 @@ module Doorkeeper
   def self.authenticate(request, methods = Doorkeeper.config.access_token_methods)
     OAuth::Token.authenticate(request, *methods)
   end
+
+  def self.gem_version
+    ::Gem::Version.new(::Doorkeeper::VERSION::STRING)
+  end
 end

data/lib/doorkeeper/config.rb

@@ -29,6 +29,8 @@ module Doorkeeper
       @config
     end
 
+    # @return [Doorkeeper::Config] configuration instance
+    #
     def configuration
       @config || (raise MissingConfiguration)
     end
@@ -276,10 +278,16 @@ module Doorkeeper
     # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
     option :token_reuse_limit,              default: 100
 
-    # [NOTE]: will be removed in a future version of Doorkeeper
+    # This is discouraged. Spec says that password grants always require a client.
+    #
+    # See https://github.com/doorkeeper-gem/doorkeeper/issues/1412#issuecomment-632750422
+    # and https://github.com/doorkeeper-gem/doorkeeper/pull/1420
+    #
+    # Since many applications use this unsafe behavior in the wild, this is kept as a
+    # not-recommended option. You should be aware that you are not following the OAuth
+    # spec, and understand the security implications of doing so.
     option :skip_client_authentication_for_password_grant,
-           default: false,
-           deprecated: { message: "OAuth RFC requires client authentication so you need at least to create one" }
+           default: false
 
     option :active_record_options,
            default: {},

data/lib/doorkeeper/grant_flow.rb

@@ -11,12 +11,14 @@ module Doorkeeper
     register(
       :implicit,
       response_type_matches: "token",
+      response_mode_matches: %w[fragment form_post],
       response_type_strategy: Doorkeeper::Request::Token,
     )
 
     register(
       :authorization_code,
       response_type_matches: "code",
+      response_mode_matches: %w[query fragment form_post],
       response_type_strategy: Doorkeeper::Request::Code,
       grant_type_matches: "authorization_code",
       grant_type_strategy: Doorkeeper::Request::AuthorizationCode,

data/lib/doorkeeper/grant_flow/flow.rb

@@ -4,7 +4,8 @@ module Doorkeeper
   module GrantFlow
     class Flow
       attr_reader :name, :grant_type_matches, :grant_type_strategy,
-                  :response_type_matches, :response_type_strategy
+                  :response_type_matches, :response_type_strategy,
+                  :response_mode_matches
 
       def initialize(name, **options)
         @name = name
@@ -12,6 +13,7 @@ module Doorkeeper
         @grant_type_strategy = options[:grant_type_strategy]
         @response_type_matches = options[:response_type_matches]
         @response_type_strategy = options[:response_type_strategy]
+        @response_mode_matches = options[:response_mode_matches]
       end
 
       def handles_grant_type?
@@ -29,6 +31,14 @@ module Doorkeeper
       def matches_response_type?(value)
         response_type_matches === value
       end
+
+      def default_response_mode
+        response_mode_matches[0]
+      end
+
+      def matches_response_mode?(value)
+        response_mode_matches.include?(value)
+      end
     end
   end
 end

data/lib/doorkeeper/helpers/controller.rb

@@ -38,6 +38,8 @@ module Doorkeeper
 
       # :doc:
       def doorkeeper_token
+        return @doorkeeper_token if defined?(@doorkeeper_token)
+
         @doorkeeper_token ||= OAuth::Token.authenticate(request, *config_methods)
       end
 

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -89,8 +89,7 @@ module Doorkeeper
       # suitable for PKCE validation
       #
       def generate_code_challenge(code_verifier)
-        padded_result = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier))
-        padded_result.split("=")[0] # Remove any trailing '='
+        Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier), padding: false)
       end
 
       def pkce_supported?

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -377,7 +377,7 @@ module Doorkeeper
       return unless self.class.refresh_token_revoked_on_use?
 
       old_refresh_token&.revoke
-      update_attribute(:previous_refresh_token, "")
+      update_attribute(:previous_refresh_token, "") if previous_refresh_token.present?
     end
 
     private

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -21,6 +21,10 @@ module Doorkeeper
           { action: :show, code: token.plaintext_token }
         end
 
+        def access_grant?
+          true
+        end
+
         private
 
         def authorization_code_expires_in

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -76,6 +76,10 @@ module Doorkeeper
           }
         end
 
+        def access_token?
+          true
+        end
+
         private
 
         def controller

data/lib/doorkeeper/oauth/code_response.rb

@@ -21,35 +21,31 @@ module Doorkeeper
         auth.token
       end
 
+      def body
+        if auth.try(:access_token?)
+          {
+            access_token: auth.token.plaintext_token,
+            token_type: auth.token.token_type,
+            expires_in: auth.token.expires_in_seconds,
+            state: pre_auth.state,
+          }
+        elsif auth.try(:access_grant?)
+          {
+            code: auth.token.plaintext_token,
+            state: pre_auth.state,
+          }
+        end
+      end
+
       def redirect_uri
         if URIChecker.oob_uri?(pre_auth.redirect_uri)
           auth.oob_redirect
         elsif response_on_fragment
-          uri_with_fragment
+          Authorization::URIBuilder.uri_with_fragment(pre_auth.redirect_uri, body)
         else
-          uri_with_query
+          Authorization::URIBuilder.uri_with_query(pre_auth.redirect_uri, body)
         end
       end
-
-      private
-
-      def uri_with_fragment
-        Authorization::URIBuilder.uri_with_fragment(
-          pre_auth.redirect_uri,
-          access_token: auth.token.plaintext_token,
-          token_type: auth.token.token_type,
-          expires_in: auth.token.expires_in_seconds,
-          state: pre_auth.state,
-        )
-      end
-
-      def uri_with_query
-        Authorization::URIBuilder.uri_with_query(
-          pre_auth.redirect_uri,
-          code: auth.token.plaintext_token,
-          state: pre_auth.state,
-        )
-      end
     end
   end
 end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -12,16 +12,19 @@ module Doorkeeper
       validate :redirect_uri, error: :invalid_redirect_uri
       validate :params, error: :invalid_request
       validate :response_type, error: :unsupported_response_type
+      validate :response_mode, error: :unsupported_response_mode
       validate :scopes, error: :invalid_scope
       validate :code_challenge_method, error: :invalid_code_challenge_method
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
-                  :redirect_uri, :resource_owner, :response_type, :state
+                  :redirect_uri, :resource_owner, :response_type, :state,
+                  :authorization_response_flow, :response_mode
 
       def initialize(server, parameters = {}, resource_owner = nil)
         @server                = server
         @client_id             = parameters[:client_id]
         @response_type         = parameters[:response_type]
+        @response_mode         = parameters[:response_mode]
         @redirect_uri          = parameters[:redirect_uri]
         @scope                 = parameters[:scope]
         @state                 = parameters[:state]
@@ -57,6 +60,10 @@ module Doorkeeper
         pre_auth_hash
       end
 
+      def form_post_response?
+        response_mode == "form_post"
+      end
+
       private
 
       attr_reader :client_id, :server
@@ -110,10 +117,22 @@ module Doorkeeper
 
       def validate_response_type
         server.authorization_response_flows.any? do |flow|
-          flow.matches_response_type?(response_type)
+          if flow.matches_response_type?(response_type)
+            @authorization_response_flow = flow
+            true
+          end
         end
       end
 
+      def validate_response_mode
+        if response_mode.blank?
+          @response_mode = authorization_response_flow.default_response_mode
+          return true
+        end
+
+        authorization_response_flow.matches_response_mode?(response_mode)
+      end
+
       def validate_scopes
         Helpers::ScopeChecker.valid?(
           scope_str: scope,
@@ -131,7 +150,9 @@ module Doorkeeper
       end
 
       def response_on_fragment?
-        response_type == "token"
+        return response_type == "token" if response_mode.nil?
+
+        response_mode == "fragment"
       end
 
       def grant_type

data/lib/doorkeeper/orm/active_record.rb

@@ -20,9 +20,8 @@ module Doorkeeper
           require "doorkeeper/orm/active_record/access_token"
           require "doorkeeper/orm/active_record/application"
 
-          if Doorkeeper.config.active_record_options[:establish_connection]
+          if (options = Doorkeeper.config.active_record_options[:establish_connection])
             Doorkeeper::Orm::ActiveRecord.models.each do |model|
-              options = Doorkeeper.config.active_record_options[:establish_connection]
               model.establish_connection(options)
             end
           end
@@ -51,9 +50,9 @@ module Doorkeeper
 
       def self.models
         [
-          Doorkeeper::AccessGrant,
-          Doorkeeper::AccessToken,
-          Doorkeeper::Application,
+          Doorkeeper.config.access_grant_model,
+          Doorkeeper.config.access_token_model,
+          Doorkeeper.config.application_model,
         ]
       end
     end

data/lib/doorkeeper/orm/active_record/mixins/application.rb

@@ -137,9 +137,9 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         only = Array.wrap(opts[:only]).map(&:to_s)
 
         only = if only.blank?
-                 serializable_attributes
+                 client_serializable_attributes
                else
-                 only & serializable_attributes
+                 only & client_serializable_attributes
                end
 
         only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
@@ -150,7 +150,10 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
       # Override this method if you need additional attributes to be serialized.
       #
       # @return [Array<String>] collection of serializable attributes
-      def serializable_attributes
+      #
+      # NOTE: `serializable_attributes` method already taken by Rails >= 6
+      #
+      def client_serializable_attributes
         attributes = %w[id name created_at]
         attributes << "uid" unless confidential?
         attributes

data/lib/doorkeeper/orm/active_record/redirect_uri_validator.rb

@@ -21,6 +21,7 @@ module Doorkeeper
           record.errors.add(attribute, :unspecified_scheme) if unspecified_scheme?(uri)
           record.errors.add(attribute, :relative_uri) if relative_uri?(uri)
           record.errors.add(attribute, :secured_uri) if invalid_ssl_uri?(uri)
+          record.errors.add(attribute, :invalid_uri) if unspecified_host?(uri)
         end
       end
     rescue URI::InvalidURIError
@@ -43,6 +44,10 @@ module Doorkeeper
       %w[localhost].include?(uri.try(:scheme))
     end
 
+    def unspecified_host?(uri)
+      uri.is_a?(URI::HTTP) && uri.host.nil?
+    end
+
     def relative_uri?(uri)
       uri.scheme.nil? && uri.host.nil?
     end

data/lib/doorkeeper/rails/routes.rb

@@ -29,8 +29,6 @@ module Doorkeeper
 
       def initialize(routes, mapper = Mapper.new, &block)
         super
-
-        @mapping.skips.push(:applications, :authorized_applications) if Doorkeeper.config.api_only
       end
 
       def generate_routes!(options)

data/lib/doorkeeper/version.rb

@@ -1,16 +1,12 @@
 # frozen_string_literal: true
 
 module Doorkeeper
-  def self.gem_version
-    Gem::Version.new VERSION::STRING
-  end
-
   module VERSION
     # Semantic versioning
     MAJOR = 5
     MINOR = 5
     TINY = 0
-    PRE = "rc1"
+    PRE = "rc2"
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/generators/doorkeeper/templates/add_owner_to_application_migration.rb.erb

@@ -2,7 +2,7 @@
 
 class AddOwnerToApplication < ActiveRecord::Migration<%= migration_version %>
   def change
-    add_column :oauth_applications, :owner_id, :integer, null: true
+    add_column :oauth_applications, :owner_id, :bigint, null: true
     add_column :oauth_applications, :owner_type, :string, null: true
     add_index :oauth_applications, [:owner_id, :owner_type]
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.5.0.rc1
+  version: 5.5.0.rc2
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-04 00:00:00.000000000 Z
+date: 2021-01-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -194,6 +194,7 @@ files:
 - app/views/doorkeeper/applications/new.html.erb
 - app/views/doorkeeper/applications/show.html.erb
 - app/views/doorkeeper/authorizations/error.html.erb
+- app/views/doorkeeper/authorizations/form_post.html.erb
 - app/views/doorkeeper/authorizations/new.html.erb
 - app/views/doorkeeper/authorizations/show.html.erb
 - app/views/doorkeeper/authorized_applications/_delete_form.html.erb
@@ -321,7 +322,14 @@ metadata:
   source_code_uri: https://github.com/doorkeeper-gem/doorkeeper
   bug_tracker_uri: https://github.com/doorkeeper-gem/doorkeeper/issues
   documentation_uri: https://doorkeeper.gitbook.io/guides/
-post_install_message: 
+post_install_message: "Starting from 5.5.0.rc1 Doorkeeper requires client authentication
+  for Resource Owner Password Grant\nas stated in the OAuth RFC. You have to create
+  a new OAuth client (Doorkeeper::Application) if you didn't\nhave it before and use
+  client credentials in HTTP Basic auth if you previously used this grant flow without\nclient
+  authentication. \n\nTo opt out of this you could set the \"skip_client_authentication_for_password_grant\"
+  configuration option\nto \"true\", but note that this is in violation of the OAuth
+  spec and represents a security risk.\n\nRead https://github.com/doorkeeper-gem/doorkeeper/issues/561#issuecomment-612857163
+  for more details."
 rdoc_options: []
 require_paths:
 - lib
@@ -336,7 +344,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: OAuth 2 provider for Rails and Grape