doorkeeper 5.5.2 → 5.6.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9b8f700b4b7e5e40df07c8679ec477db21fe96ed05d70a5e6cb50c62cac886c2
-  data.tar.gz: cc34f22bd2800620f9b901a0025f569a0299a1105a7350ba95b62b34b7f5cdad
+  metadata.gz: b62a0472a97d06b40362817c9d5c0dd7dd6e0d0e600437a19f5cf2fd18c4be46
+  data.tar.gz: 9850cef14c21a1f0df2fb451a485ab5b8066360a3008124f7aed287409364e36
 SHA512:
-  metadata.gz: 27d0ae20071180742cb735351165d808d8d3a6f0571ce12fc741f572fb9f69c789d760c299fa5a31814790611474e3eed12fb2a8ab4902151c21a847855fa8d3
-  data.tar.gz: 64e39c64aa61cf27ee0418be14880b9bb1ce23159a6ee61af4d32b1a187ddcb32f70402799bb9f673a1d3a1efe1abd2e9b940564d05e161a7aee737497af1d54
+  metadata.gz: de0c7021c4735b26249e5b267db11ede06f55b23d8f9bd51641d1cf3eee3812e14a2deec986e8aa6ee81de98097083fdb634a441fd4928cb47286fa977ba5d96
+  data.tar.gz: 3865639c837771ceeafceec8a110e506f88fef45c61f7274782c637e794f9185be18ee98270852bac6fecb0fc90e4893dfed08d715c761507e87396e5a559bc2

data/CHANGELOG.md

@@ -7,19 +7,87 @@ User-visible changes worth mentioning.
 
 ## main
 
-- [#PR ID] Add your PR description here.
+- [#ID] Add your PR description here.
+
+## 5.6.6
+
+- [#1644] Update HTTP headers.
+- [#1646] Block public clients automatic authorization skip.
+- [#1648] Add custom token attributes to Refresh Token Request.
+- [#1649] Fixed custom_access_token_attributes related errors.
+
+# 5.6.5
+
+- [#1602] Allow custom data to be stored inside access grants/tokens.
+- [#1634] Code refactoring for custom token attributes.
+- [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.
+
+# 5.6.4
+
+- [#1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.
+
+# 5.6.3
+
+- [#1622] Drop support for Rubies 2.5 and 2.6
+- [#1605] Fix URI validation for Ruby 3.2+.
+- [#1625] Exclude endless access tokens from `StaleRecordsCleaner`.
+- [#1626] Remove deprecated `active_record_options` config option.
+- [#1631] Fix regression with redirect behavior after token lookup optimizations (redirect to app URI when found).
+- [#1630] Special case unique index creation for refresh_token on SQL Server.
+- [#1627] Lazy evaluate Doorkeeper config when loading files and executing initializers.
+
+## 5.6.2
+
+- [#1604] Fix fetching of the application when custom application_class defined.
+
+## 5.6.1
+
+- [#1593] Add support for Trilogy ActiveRecord adapter.
+- [#1597] Add optional support to use the url path for the native authorization code flow. Ports forward [#1143] from 4.4.3
+- [#1599] Remove unnecessarily re-fetch of application object when creating an access token.
+
+## 5.6.0
+
+- [#1581] Consider `token_type_hint` when searching for access token in TokensController to avoid extra database calls.
+
+## 5.6.0.rc2
+
+- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
+  application scopes when using client credentials.
+- [#1567] Only filter `code` parameter if authorization_code grant flow is enabled.
+
+## 5.6.0.rc1
+
+- [#1551] Change lazy loading for ORM to be Ruby standard autoload.
+- [#1552] Remove duplicate IDs on Auth form to improve accessibility.
+- [#1542] Improve performance of `Doorkeeper::AccessToken#matching_token_for` using database specific SQL time math.
+
+  **[IMPORTANT]**: API of the `Doorkeeper::AccessToken#matching_token_for` method has changed and now it returns
+  only **active** access tokens (previously they were just not revoked). Please remember that the idea of the
+  `reuse_access_token` option is to check for existing _active_ token (see configuration option description).
+
+## 5.5.4
+
+- [#1535] Revert changes introduced in #1528 to allow query params in `redirect_uri` as per the spec.
+
+## 5.5.3
+
+- [#1528] Don't allow extra query params in redirect_uri.
+- [#1525] I18n source for forbidden token error is now `doorkeeper.errors.messages.forbidden_token.missing_scope`.
+- [#1531] Disable `strict-loading` for Doorkeeper models by default.
+- [#1532] Add support for Rails 7.
 
 ## 5.5.2
 
 - [#1502] Drop support for Ruby 2.4 because of EOL.
 - [#1504] Updated the url fragment in the comment for code documentation.
 - [#1512] Fix form behavior when response mode is form_post.
-- [#1511] Fix that authorization code is returned by fragment if response_mode is fragament.
+- [#1511] Fix that authorization code is returned by fragment if response_mode is fragment.
 
 ## 5.5.1
 
 - [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
-- [#1495] Fix `respond_to` undefined in API-only mode 
+- [#1495] Fix `respond_to` undefined in API-only mode
 - [#1488] Verify client authentication for Resource Owner Password Grant when
   `config.skip_client_authentication_for_password_grant` is set and the client credentials
   are sent in a HTTP Basic auth header.
@@ -33,10 +101,10 @@ User-visible changes worth mentioning.
 ## 5.5.0.rc2
 
 - [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
-  
-  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in 
+
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
     `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
-  
+
 - [#1472] Fix `establish_connection` configuration for custom defined models.
 - [#1471] Add support for Ruby 3.0.
 - [#1469] Check if `redirect_uri` exists.
@@ -243,7 +311,7 @@ User-visible changes worth mentioning.
 - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
 - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
 - [#1228] Allow to explicitly set non-expiring tokens in `custom_access_token_expires_in` configuration
-  option using `Float::INIFINITY` return value.
+  option using `Float::INFINITY` return value.
 - [#1224] Do not try to store token if not found by fallback hashing strategy.
 - [#1223] Update Hound/Rubocop rules, correct Doorkeeper codebase to follow style-guides.
 - [#1220] Drop Rails 4.2 & Ruby < 2.4 support.
@@ -328,7 +396,7 @@ User-visible changes worth mentioning.
 - [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
   hitting the `AuthorizedApplicationController#destroy` route.
 - [#1114] Make token info endpoint's attributes consistent with token creation
-- [#1108] Simple formating of callback URLs when listing oauth applications
+- [#1108] Simple formatting of callback URLs when listing oauth applications
 - [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
   configured by developers.
 

data/README.md

@@ -1,10 +1,9 @@
 # Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app.
 
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
-[![Build Status](https://travis-ci.org/doorkeeper-gem/doorkeeper.svg?branch=main)](https://travis-ci.org/doorkeeper-gem/doorkeeper)
+[![CI](https://github.com/doorkeeper-gem/doorkeeper/actions/workflows/ci.yml/badge.svg)](https://github.com/doorkeeper-gem/doorkeeper/actions/workflows/ci.yml)
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
 [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=main)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=main)
-[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
 [![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
@@ -14,18 +13,18 @@ functionality to your Ruby on Rails or Grape application.
 
 Supported features:
 
-- [The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)
-  - [Authorization Code Flow](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1)
-  - [Access Token Scopes](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3)
-  - [Refresh token](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5)
-  - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
-  - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
-  - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
-- [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
-- [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
-- [OAuth 2.0 Threat Model and Security Considerations](http://tools.ietf.org/html/rfc6819)
-- [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10)
-- [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
+- [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749)
+  - [Authorization Code Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1)
+  - [Access Token Scopes](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3)
+  - [Refresh token](https://datatracker.ietf.org/doc/html/rfc6749#section-1.5)
+  - [Implicit grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.2)
+  - [Resource Owner Password Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)
+  - [Client Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4)
+- [OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009)
+- [OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662)
+- [OAuth 2.0 Threat Model and Security Considerations](https://datatracker.ietf.org/doc/html/rfc6819)
+- [OAuth 2.0 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252)
+- [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636)
 
 ## Table of Contents
 
@@ -106,6 +105,8 @@ Extensions that are not included by default and can be installed separately.
 | JWT Token support | [doorkeeper-gem/doorkeeper-jwt](https://github.com/doorkeeper-gem/doorkeeper-jwt) |
 | Assertion grant extension | [doorkeeper-gem/doorkeeper-grants\_assertion](https://github.com/doorkeeper-gem/doorkeeper-grants_assertion) |
 | I18n translations | [doorkeeper-gem/doorkeeper-i18n](https://github.com/doorkeeper-gem/doorkeeper-i18n) |
+| CIBA - Client Initiated Backchannel Authentication Flow extension | [doorkeeper-ciba](https://github.com/autoseg/doorkeeper-ciba) |
+| Device Authorization Grant | [doorkeeper-device_authorization_grant](https://github.com/exop-group/doorkeeper-device_authorization_grant) |
 
 ## Example Applications
 
@@ -188,4 +189,4 @@ contributors](https://github.com/doorkeeper-gem/doorkeeper/graphs/contributors)!
 
 ## License
 
-MIT License. Copyright 2011 Applicake.
+MIT License. Created in Applicake. Maintained by the community.

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -13,18 +13,26 @@ module Doorkeeper
     end
 
     def create
-      redirect_or_render authorize_response
+      redirect_or_render(authorize_response)
     end
 
     def destroy
-      redirect_or_render authorization.deny
+      redirect_or_render(authorization.deny)
+    rescue Doorkeeper::Errors::InvalidTokenStrategy => e
+      error_response = get_error_response_from_exception(e)
+
+      if Doorkeeper.configuration.api_only
+        render json: error_response.body, status: :bad_request
+      else
+        render :error, locals: { error_response: error_response }
+      end
     end
 
     private
 
     def render_success
-      if skip_authorization? || matching_token?
-        redirect_or_render authorize_response
+      if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?)
+        redirect_or_render(authorize_response)
       elsif Doorkeeper.configuration.api_only
         render json: pre_auth
       else
@@ -37,10 +45,12 @@ module Doorkeeper
         render json: pre_auth.error_response.body,
                status: :bad_request
       else
-        render :error
+        render :error, locals: { error_response: pre_auth.error_response }
       end
     end
 
+    # Active access token issued for the same client and resource owner with
+    # the same set of the scopes exists?
     def matching_token?
       Doorkeeper.config.access_token_model.matching_token_for(
         pre_auth.client,
@@ -66,7 +76,7 @@ module Doorkeeper
         elsif pre_auth.form_post_response?
           render :form_post
         else
-          redirect_to auth.redirect_uri
+          redirect_to auth.redirect_uri, allow_other_host: true
         end
       else
         render json: auth.body, status: auth.status
@@ -86,7 +96,7 @@ module Doorkeeper
     end
 
     def pre_auth_param_fields
-      %i[
+      custom_access_token_attributes + %i[
         client_id
         code_challenge
         code_challenge_method
@@ -98,6 +108,10 @@ module Doorkeeper
       ]
     end
 
+    def custom_access_token_attributes
+      Doorkeeper.config.custom_access_token_attributes.map(&:to_sym)
+    end
+
     def authorization
       @authorization ||= strategy.request
     end

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -12,7 +12,7 @@ module Doorkeeper
       handle_token_exception(e)
     end
 
-    # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
+    # OAuth 2.0 Token Revocation - https://datatracker.ietf.org/doc/html/rfc7009
     def revoke
       # The authorization server responds with HTTP status code 200 if the client
       # submitted an invalid token or the token has been revoked successfully.
@@ -30,6 +30,7 @@ module Doorkeeper
       end
     end
 
+    # OAuth 2.0 Token Introspection - https://datatracker.ietf.org/doc/html/rfc7662
     def introspect
       introspection = OAuth::TokenIntrospection.new(server, token)
 
@@ -94,8 +95,8 @@ module Doorkeeper
     # types, they set the application_id as null (since the claim cannot be
     # verified).
     #
-    # https://tools.ietf.org/html/rfc6749#section-2.1
-    # https://tools.ietf.org/html/rfc7009
+    # https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
+    # https://datatracker.ietf.org/doc/html/rfc7009
     def authorized?
       # Token belongs to specific client, so we need to check if
       # authenticated client could access it.
@@ -115,12 +116,14 @@ module Doorkeeper
       token.revoke if token&.accessible?
     end
 
-    # Doorkeeper does not use the token_type_hint logic described in the
-    # RFC 7009 due to the refresh token implementation that is a field in
-    # the access token model.
     def token
-      @token ||= Doorkeeper.config.access_token_model.by_token(params["token"]) ||
-                 Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+      @token ||=
+        if params[:token_type_hint] == "refresh_token"
+          Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+        else
+          Doorkeeper.config.access_token_model.by_token(params["token"]) ||
+            Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+        end
     end
 
     def strategy

data/app/helpers/doorkeeper/dashboard_helper.rb

@@ -6,7 +6,7 @@ module Doorkeeper
       return if object.errors[method].blank?
 
       output = object.errors[method].map do |msg|
-        content_tag(:span, class: "form-text") do
+        content_tag(:span, class: "invalid-feedback") do
           msg.capitalize
         end
       end

data/app/views/doorkeeper/authorizations/error.html.erb

@@ -3,5 +3,7 @@
 </div>
 
 <main role="main">
-  <pre><%= @pre_auth.error_response.body[:error_description] %></pre>
+  <pre>
+    <%= (respond_to?(:error_response) ? error_response : @pre_auth.error_response).body[:error_description] %>
+  </pre>
 </main>

data/app/views/doorkeeper/authorizations/new.html.erb

@@ -21,25 +21,25 @@
 
   <div class="actions">
     <%= form_tag oauth_authorization_path, method: :post do %>
-      <%= hidden_field_tag :client_id, @pre_auth.client.uid %>
-      <%= hidden_field_tag :redirect_uri, @pre_auth.redirect_uri %>
-      <%= hidden_field_tag :state, @pre_auth.state %>
-      <%= hidden_field_tag :response_type, @pre_auth.response_type %>
-      <%= hidden_field_tag :response_mode, @pre_auth.response_mode %>
-      <%= hidden_field_tag :scope, @pre_auth.scope %>
-      <%= hidden_field_tag :code_challenge, @pre_auth.code_challenge %>
-      <%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method %>
+      <%= hidden_field_tag :client_id, @pre_auth.client.uid, id: nil %>
+      <%= hidden_field_tag :redirect_uri, @pre_auth.redirect_uri, id: nil %>
+      <%= hidden_field_tag :state, @pre_auth.state, id: nil %>
+      <%= hidden_field_tag :response_type, @pre_auth.response_type, id: nil %>
+      <%= hidden_field_tag :response_mode, @pre_auth.response_mode, id: nil %>
+      <%= hidden_field_tag :scope, @pre_auth.scope, id: nil %>
+      <%= hidden_field_tag :code_challenge, @pre_auth.code_challenge, id: nil %>
+      <%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method, id: nil %>
       <%= submit_tag t('doorkeeper.authorizations.buttons.authorize'), class: "btn btn-success btn-lg btn-block" %>
     <% end %>
     <%= form_tag oauth_authorization_path, method: :delete do %>
-      <%= hidden_field_tag :client_id, @pre_auth.client.uid %>
-      <%= hidden_field_tag :redirect_uri, @pre_auth.redirect_uri %>
-      <%= hidden_field_tag :state, @pre_auth.state %>
-      <%= hidden_field_tag :response_type, @pre_auth.response_type %>
-      <%= hidden_field_tag :response_mode, @pre_auth.response_mode %>
-      <%= hidden_field_tag :scope, @pre_auth.scope %>
-      <%= hidden_field_tag :code_challenge, @pre_auth.code_challenge %>
-      <%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method %>
+      <%= hidden_field_tag :client_id, @pre_auth.client.uid, id: nil %>
+      <%= hidden_field_tag :redirect_uri, @pre_auth.redirect_uri, id: nil %>
+      <%= hidden_field_tag :state, @pre_auth.state, id: nil %>
+      <%= hidden_field_tag :response_type, @pre_auth.response_type, id: nil %>
+      <%= hidden_field_tag :response_mode, @pre_auth.response_mode, id: nil %>
+      <%= hidden_field_tag :scope, @pre_auth.scope, id: nil %>
+      <%= hidden_field_tag :code_challenge, @pre_auth.code_challenge, id: nil %>
+      <%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method, id: nil %>
       <%= submit_tag t('doorkeeper.authorizations.buttons.deny'), class: "btn btn-danger btn-lg btn-block" %>
     <% end %>
   </div>

data/config/locales/en.yml

@@ -125,6 +125,9 @@ en:
         revoke:
           unauthorized: "You are not authorized to revoke this token"
 
+        forbidden_token:
+          missing_scope: 'Access to this resource requires scope "%{oauth_scopes}".'
+
     flash:
       applications:
         create:

data/lib/doorkeeper/config/abstract_builder.rb

@@ -12,7 +12,7 @@ module Doorkeeper
       #
       def initialize(config = Config.new, &block)
         @config = config
-        instance_eval(&block)
+        instance_eval(&block) if block_given?
       end
 
       # Builds and validates configuration.

data/lib/doorkeeper/config/validations.rb

@@ -24,8 +24,8 @@ module Doorkeeper
         return if !reuse_access_token || strategy.allows_restoring_secrets?
 
         ::Rails.logger.warn(
-          "You have configured both reuse_access_token " \
-          "AND strategy strategy '#{strategy}' that cannot restore tokens. " \
+          "[DOORKEEPER] You have configured both reuse_access_token " \
+          "AND '#{strategy}' strategy which cannot restore tokens. " \
           "This combination is unsupported. reuse_access_token will be disabled",
         )
         @reuse_access_token = false
@@ -43,7 +43,7 @@ module Doorkeeper
                   (token_reuse_limit > 0 && token_reuse_limit <= 100)
 
         ::Rails.logger.warn(
-          "You have configured an invalid value for token_reuse_limit option. " \
+          "[DOORKEEPER] You have configured an invalid value for token_reuse_limit option. " \
           "It will be set to default 100",
         )
         @token_reuse_limit = 100

data/lib/doorkeeper/config.rb

@@ -5,59 +5,11 @@ require "doorkeeper/config/option"
 require "doorkeeper/config/validations"
 
 module Doorkeeper
-  # Defines a MissingConfiguration error for a missing Doorkeeper configuration
-  #
-  class MissingConfiguration < StandardError
-    def initialize
-      super("Configuration for doorkeeper missing. Do you have doorkeeper initializer?")
-    end
-  end
-
   # Doorkeeper option DSL could be reused in extensions to build their own
   # configurations. To use the Option DSL gems need to define `builder_class` method
   # that returns configuration Builder class. This exception raises when they don't
   # define it.
   #
-  class MissingConfigurationBuilderClass < StandardError; end
-
-  class << self
-    def configure(&block)
-      @config = Config::Builder.new(&block).build
-      setup_orm_adapter
-      setup_orm_models
-      setup_application_owner if @config.enable_application_owner?
-      @config
-    end
-
-    # @return [Doorkeeper::Config] configuration instance
-    #
-    def configuration
-      @config || (raise MissingConfiguration)
-    end
-
-    alias config configuration
-
-    def setup_orm_adapter
-      @orm_adapter = "doorkeeper/orm/#{configuration.orm}".classify.constantize
-    rescue NameError => e
-      raise e, "ORM adapter not found (#{configuration.orm})", <<-ERROR_MSG.strip_heredoc
-        [DOORKEEPER] ORM adapter not found (#{configuration.orm}), or there was an error
-        trying to load it.
-
-        You probably need to add the related gem for this adapter to work with
-        doorkeeper.
-      ERROR_MSG
-    end
-
-    def setup_orm_models
-      @orm_adapter.initialize_models!
-    end
-
-    def setup_application_owner
-      @orm_adapter.initialize_application_owner!
-    end
-  end
-
   class Config
     # Default Doorkeeper configuration builder
     class Builder < AbstractBuilder
@@ -137,6 +89,15 @@ module Doorkeeper
         @config.instance_variable_set(:@reuse_access_token, true)
       end
 
+      # Choose to use the url path for native autorization codes 
+      # Enabling this flag sets the authorization code response route for
+      # native redirect uris to oauth/authorize/<code>. The default is
+      # oauth/authorize/native?code=<code>.
+      # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1143
+      def use_url_path_for_native_authorization
+        @config.instance_variable_set(:@use_url_path_for_native_authorization, true)
+      end
+
       # TODO: maybe make it more generic for other flows too?
       # Only allow one valid access token obtained via client credentials
       # per client. If a new access token is obtained before the old one
@@ -293,10 +254,6 @@ module Doorkeeper
     option :skip_client_authentication_for_password_grant,
            default: false
 
-    option :active_record_options,
-           default: {},
-           deprecated: { message: "Customize Doorkeeper models instead" }
-
     # Hook to allow arbitrary user-client authorization
     option :authorize_resource_owner_for_client,
            default: ->(_client, _resource_owner) { true }
@@ -364,11 +321,29 @@ module Doorkeeper
     option :access_token_generator,
            default: "Doorkeeper::OAuth::Helpers::UniqueToken"
 
+    # Allows additional data to be received when granting access to an Application, and for this
+    # additional data to be sent with subsequently generated access tokens. The access grant and
+    # access token models will both need to respond to the specified attribute names.
+    #
+    # @param attributes [Array] The array of custom attribute names to be saved
+    #
+    option :custom_access_token_attributes,
+           default: []
+
+    # Use a custom class for generating the application secret.
+    # https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-application-secret-generator
+    #
+    # @param application_secret_generator [String]
+    #   the name of the application secret generator class
+    #
+    option :application_secret_generator,
+           default: "Doorkeeper::OAuth::Helpers::UniqueToken"
+
     # Default access token generator is a SecureRandom class from Ruby stdlib.
     # This option defines which method will be used to generate a unique token value.
     #
-    # @param access_token_generator [String]
-    #   the name of the access token generator class
+    # @param default_generator_method [Symbol]
+    #   the method name of the default access token generator
     #
     option :default_generator_method, default: :urlsafe_base64
 
@@ -441,6 +416,16 @@ module Doorkeeper
                 :token_secret_fallback_strategy,
                 :application_secret_fallback_strategy
 
+    def clear_cache!
+      %i[
+        application_model
+        access_token_model
+        access_grant_model
+      ].each do |var|
+        remove_instance_variable("@#{var}") if instance_variable_defined?("@#{var}")
+      end
+    end
+
     # Doorkeeper Access Token model class.
     #
     # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
@@ -581,6 +566,11 @@ module Doorkeeper
     def deprecated_token_grant_types_resolver
       @deprecated_token_grant_types ||= calculate_token_grant_types
     end
+    
+    def native_authorization_code_route
+      @use_url_path_for_native_authorization = false unless defined?(@use_url_path_for_native_authorization)
+      @use_url_path_for_native_authorization ? '/:code' : '/native'
+    end
 
     # [NOTE]: deprecated and will be removed soon
     def deprecated_authorization_flows

data/lib/doorkeeper/engine.rb

@@ -2,9 +2,12 @@
 
 module Doorkeeper
   class Engine < Rails::Engine
-    initializer "doorkeeper.params.filter" do |app|
-      parameters = %w[client_secret code authentication_token access_token refresh_token]
-      app.config.filter_parameters << /^(#{Regexp.union(parameters)})$/
+    initializer "doorkeeper.params.filter", after: :load_config_initializers do |app|
+      if Doorkeeper.configured?
+        parameters = %w[client_secret authentication_token access_token refresh_token]
+        parameters << "code" if Doorkeeper.config.grant_flows.include?("authorization_code")
+        app.config.filter_parameters << /^(#{Regexp.union(parameters)})$/
+      end
     end
 
     initializer "doorkeeper.routes" do
@@ -17,6 +20,10 @@ module Doorkeeper
       end
     end
 
+    config.to_prepare do
+      Doorkeeper.run_orm_hooks
+    end
+
     if defined?(Sprockets) && Sprockets::VERSION.chr.to_i >= 4
       initializer "doorkeeper.assets.precompile" do |app|
         # Force users to use:

data/lib/doorkeeper/helpers/controller.rb

@@ -82,7 +82,7 @@ module Doorkeeper
       end
 
       def x_www_form_urlencoded?
-        request.content_type == "application/x-www-form-urlencoded"
+        request.media_type == "application/x-www-form-urlencoded"
       end
     end
   end

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -49,7 +49,7 @@ module Doorkeeper
       end
 
       # Implements PKCE code_challenge encoding without base64 padding as described in the spec.
-      # https://tools.ietf.org/html/rfc7636#appendix-A
+      # https://datatracker.ietf.org/doc/html/rfc7636#appendix-A
       #   Appendix A.  Notes on Implementing Base64url Encoding without Padding
       #
       #   This appendix describes how to implement a base64url-encoding