doorkeeper 5.5.4 → 5.8.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 55c17555b9591b1a06b8164b0508ab733df8dca59e4b555e1dac3b3cc7a1112e
-  data.tar.gz: 56fd2b8475c97f0bc755086cc22ee1aa14d2ac47263f0e218f3cf4f9f80d5b38
+  metadata.gz: de574cec8c17af2fd1026081acc0bf592c71ecbf947d92546df6b4d48ce3b5ce
+  data.tar.gz: eb282ce352bbd4491014b753535ff24e804ca801e02aef8a6ded3f7ca5951e64
 SHA512:
-  metadata.gz: b21d497b70266436f0446eec977f9ff074f646c0cdf417e08c8806529474ea91d112f0f1357a614f9e136b0dd042d665f7ea7325740254770ff01469df595390
-  data.tar.gz: eb23ac65993cf89d82b66e5616b231d58fd0ac928486354a2bc36fdf7173fb3ba807f434f85a45f4ea6d1600847b46bdd5ad76ea9d317c16908a114b18fdb94a
+  metadata.gz: 68b668d79eb5532cb4dbe660eb26269d67eb545b5dbd12bae15c087752c7e5447e1f60326725c0d838189a746de5718e8644605dcdd946d4f2cf29a556297369
+  data.tar.gz: 8ad2d79f707129abd0787710cc86ee563af9887f986dec03edc396c691ffb26e18279b3693bc15658d059e78dd7dc2ce3093a137c03bb16e7858832d9e80c368

data/CHANGELOG.md

@@ -7,7 +7,117 @@ User-visible changes worth mentioning.
 
 ## main
 
-- [#ID] Add your PR description here.
+Add your entry here.
+
+## 5.8.2
+
+- [#1755] Fix the error message for force_pkce
+- [#1761] Memoize authentication failure
+- [#1762] Allow missing client to trigger invalid client error when force_pkce is enabled
+- [#1767] Make sure error handling happens on a controller level opposed to action level to account for the controller being extended
+
+## 5.8.1
+
+- [#1752] Bump the range of supported Ruby and Rails versions
+- [#1747] Fix unknown pkce method error when configured
+- [#1744] Allow for expired refresh tokens to be revoked
+- [#1754] Fix refresh tokens with dynamic scopes
+
+## 5.8.0
+
+- [#1739] Add support for dynamic scopes
+- [#1715] Fix token introspection invalid request reason
+- [#1714] Fix `Doorkeeper::AccessToken.find_or_create_for` with empty scopes which raises NoMethodError
+- [#1712] Add `Pragma: no-cache` to token response
+- [#1726] Refactor token introspection class.
+- [#1727] Allow to set null secret value for Applications if they are public.
+- [#1735] Add `pkce_code_challenge_methods` config option. 
+
+## 5.7.1
+
+- [#1705] Add `force_pkce` option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code
+
+## 5.7.0
+
+- [#1696] Add missing `#issued_token` method to `OAuth::TokenResponse`
+- [#1697] Allow a TokenResponse body to be customized (memoize response body).
+- [#1702] Fix bugs for error response in the form_post and error view
+- [#1660] Custom access token attributes are now considered when finding matching tokens (fixes #1665).
+  Introduce `revoke_previous_client_credentials_token` configuration option.
+
+## 5.6.9
+
+- [#1691] Make new Doorkeeper errors backward compatible with older extensions.
+
+## 5.6.8
+
+- [#1680] Fix handle_auth_errors :raise NotImplementedError
+
+## 5.6.7
+
+- [#1662] Specify uri_redirect validation class explicitly.
+- [#1652] Add custom attributes support to token generator.
+- [#1667] Pass `client` instead of `grant.application` to `find_or_create_access_token`.
+- [#1673] Honor `custom_access_token_attributes` in client credentials grant flow.
+- [#1676] Improve AuthorizationsController error response handling
+- [#1677] Fix URIHelper.valid_for_authorization? breaking for non url URIs.
+
+## 5.6.6
+
+- [#1644] Update HTTP headers.
+- [#1646] Block public clients automatic authorization skip.
+- [#1648] Add custom token attributes to Refresh Token Request.
+- [#1649] Fixed custom_access_token_attributes related errors.
+
+## 5.6.5
+
+- [#1602] Allow custom data to be stored inside access grants/tokens.
+- [#1634] Code refactoring for custom token attributes.
+- [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.
+
+## 5.6.4
+
+- [#1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.
+
+## 5.6.3
+
+- [#1622] Drop support for Rubies 2.5 and 2.6
+- [#1605] Fix URI validation for Ruby 3.2+.
+- [#1625] Exclude endless access tokens from `StaleRecordsCleaner`.
+- [#1626] Remove deprecated `active_record_options` config option.
+- [#1631] Fix regression with redirect behavior after token lookup optimizations (redirect to app URI when found).
+- [#1630] Special case unique index creation for refresh_token on SQL Server.
+- [#1627] Lazy evaluate Doorkeeper config when loading files and executing initializers.
+
+## 5.6.2
+
+- [#1604] Fix fetching of the application when custom application_class defined.
+
+## 5.6.1
+
+- [#1593] Add support for Trilogy ActiveRecord adapter.
+- [#1597] Add optional support to use the url path for the native authorization code flow. Ports forward [#1143] from 4.4.3
+- [#1599] Remove unnecessarily re-fetch of application object when creating an access token.
+
+## 5.6.0
+
+- [#1581] Consider `token_type_hint` when searching for access token in TokensController to avoid extra database calls.
+
+## 5.6.0.rc2
+
+- [#1558] Fixed bug: able to obtain a token with default scopes even if they are not present in the
+  application scopes when using client credentials.
+- [#1567] Only filter `code` parameter if authorization_code grant flow is enabled.
+
+## 5.6.0.rc1
+
+- [#1551] Change lazy loading for ORM to be Ruby standard autoload.
+- [#1552] Remove duplicate IDs on Auth form to improve accessibility.
+- [#1542] Improve performance of `Doorkeeper::AccessToken#matching_token_for` using database specific SQL time math.
+
+  **[IMPORTANT]**: API of the `Doorkeeper::AccessToken#matching_token_for` method has changed and now it returns
+  only **active** access tokens (previously they were just not revoked). Please remember that the idea of the
+  `reuse_access_token` option is to check for existing _active_ token (see configuration option description).
 
 ## 5.5.4
 
@@ -25,12 +135,12 @@ User-visible changes worth mentioning.
 - [#1502] Drop support for Ruby 2.4 because of EOL.
 - [#1504] Updated the url fragment in the comment for code documentation.
 - [#1512] Fix form behavior when response mode is form_post.
-- [#1511] Fix that authorization code is returned by fragment if response_mode is fragament.
+- [#1511] Fix that authorization code is returned by fragment if response_mode is fragment.
 
 ## 5.5.1
 
 - [#1496] Revoke `old_refresh_token` if `previous_refresh_token` is present.
-- [#1495] Fix `respond_to` undefined in API-only mode 
+- [#1495] Fix `respond_to` undefined in API-only mode
 - [#1488] Verify client authentication for Resource Owner Password Grant when
   `config.skip_client_authentication_for_password_grant` is set and the client credentials
   are sent in a HTTP Basic auth header.
@@ -44,10 +154,10 @@ User-visible changes worth mentioning.
 ## 5.5.0.rc2
 
 - [#1473] Enable `Applications` and `AuthorizedApplications` controllers in API mode.
-  
-  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in 
+
+  **[IMPORTANT]** you can still skip these controllers using `skip_controllers` in
     `use_doorkeeper` inside `routes.rb`. Please do it in case you don't need them.
-  
+
 - [#1472] Fix `establish_connection` configuration for custom defined models.
 - [#1471] Add support for Ruby 3.0.
 - [#1469] Check if `redirect_uri` exists.
@@ -254,7 +364,7 @@ User-visible changes worth mentioning.
 - [#1237] Allow to set blank redirect URI if Doorkeeper configured to use redirect URI-less grant flows.
 - [#1234] Fix `StaleRecordsCleaner` to properly work with big amount of records.
 - [#1228] Allow to explicitly set non-expiring tokens in `custom_access_token_expires_in` configuration
-  option using `Float::INIFINITY` return value.
+  option using `Float::INFINITY` return value.
 - [#1224] Do not try to store token if not found by fallback hashing strategy.
 - [#1223] Update Hound/Rubocop rules, correct Doorkeeper codebase to follow style-guides.
 - [#1220] Drop Rails 4.2 & Ruby < 2.4 support.
@@ -339,7 +449,7 @@ User-visible changes worth mentioning.
 - [#1116] `AccessGrant`s will now be revoked along with `AccessToken`s when
   hitting the `AuthorizedApplicationController#destroy` route.
 - [#1114] Make token info endpoint's attributes consistent with token creation
-- [#1108] Simple formating of callback URLs when listing oauth applications
+- [#1108] Simple formatting of callback URLs when listing oauth applications
 - [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
   configured by developers.
 

data/README.md

@@ -1,10 +1,9 @@
 # Doorkeeper — awesome OAuth 2 provider for your Rails / Grape app.
 
 [![Gem Version](https://badge.fury.io/rb/doorkeeper.svg)](https://rubygems.org/gems/doorkeeper)
-[![Build Status](https://app.travis-ci.com/doorkeeper-gem/doorkeeper.svg?branch=main)](https://app.travis-ci.com/doorkeeper-gem/doorkeeper)
+[![CI](https://github.com/doorkeeper-gem/doorkeeper/actions/workflows/ci.yml/badge.svg)](https://github.com/doorkeeper-gem/doorkeeper/actions/workflows/ci.yml)
 [![Code Climate](https://codeclimate.com/github/doorkeeper-gem/doorkeeper.svg)](https://codeclimate.com/github/doorkeeper-gem/doorkeeper)
 [![Coverage Status](https://coveralls.io/repos/github/doorkeeper-gem/doorkeeper/badge.svg?branch=main)](https://coveralls.io/github/doorkeeper-gem/doorkeeper?branch=main)
-[![Security](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main.svg)](https://hakiri.io/github/doorkeeper-gem/doorkeeper/main)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
 [![GuardRails badge](https://badges.guardrails.io/doorkeeper-gem/doorkeeper.svg?token=66768ce8f6995814df81f65a2cff40f739f688492704f973e62809e15599bb62)](https://dashboard.guardrails.io/default/gh/doorkeeper-gem/doorkeeper)
 [![Dependabot](https://img.shields.io/badge/dependabot-enabled-success.svg)](https://dependabot.com)
@@ -40,7 +39,6 @@ Supported features:
 - [ORMs](#orms)
 - [Extensions](#extensions)
 - [Example Applications](#example-applications)
-- [Tutorials](#tutorials)
 - [Sponsors](#sponsors)
 - [Development](#development)
 - [Contributing](#contributing)
@@ -57,7 +55,7 @@ https://github.com/doorkeeper-gem/doorkeeper/releases.
 Additionally, other resources can be found on:
 
 - [Guides](https://doorkeeper.gitbook.io/guides/) with how-to get started and configuration documentation
-- See the [Wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki) with articles and other documentation
+- See the [Wiki](https://github.com/doorkeeper-gem/doorkeeper/wiki) for articles on how to integrate with other solutions
 - Screencast from [railscasts.com](http://railscasts.com/): [#353
 OAuth with
 Doorkeeper](http://railscasts.com/episodes/353-oauth-with-doorkeeper)
@@ -106,6 +104,8 @@ Extensions that are not included by default and can be installed separately.
 | JWT Token support | [doorkeeper-gem/doorkeeper-jwt](https://github.com/doorkeeper-gem/doorkeeper-jwt) |
 | Assertion grant extension | [doorkeeper-gem/doorkeeper-grants\_assertion](https://github.com/doorkeeper-gem/doorkeeper-grants_assertion) |
 | I18n translations | [doorkeeper-gem/doorkeeper-i18n](https://github.com/doorkeeper-gem/doorkeeper-i18n) |
+| CIBA - Client Initiated Backchannel Authentication Flow extension | [doorkeeper-ciba](https://github.com/autoseg/doorkeeper-ciba) |
+| Device Authorization Grant | [doorkeeper-device_authorization_grant](https://github.com/exop-group/doorkeeper-device_authorization_grant) |
 
 ## Example Applications
 
@@ -123,10 +123,6 @@ examples](https://github.com/doorkeeper-gem/doorkeeper/wiki/Example-Applications
 in our wiki or follow this [tutorial
 here](https://github.com/doorkeeper-gem/doorkeeper/wiki/Testing-your-provider-with-OAuth2-gem).
 
-## Tutorials
-
-See [list of tutorials](https://github.com/doorkeeper-gem/doorkeeper/wiki#how-tos--tutorials) in order to learn how to use the gem or integrate it with other solutions / gems.
-
 ## Sponsors
 
 [![OpenCollective](https://opencollective.com/doorkeeper-gem/backers/badge.svg)](#backers) 
@@ -188,4 +184,4 @@ contributors](https://github.com/doorkeeper-gem/doorkeeper/graphs/contributors)!
 
 ## License
 
-MIT License. Copyright 2011 Applicake.
+MIT License. Created in Applicake. Maintained by the community.

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -13,18 +13,26 @@ module Doorkeeper
     end
 
     def create
-      redirect_or_render authorize_response
+      redirect_or_render(authorize_response)
     end
 
     def destroy
-      redirect_or_render authorization.deny
+      redirect_or_render(authorization.deny)
+    rescue Doorkeeper::Errors::InvalidTokenStrategy => e
+      error_response = get_error_response_from_exception(e)
+
+      if Doorkeeper.configuration.api_only
+        render json: error_response.body, status: :bad_request
+      else
+        render :error, locals: { error_response: error_response }
+      end
     end
 
     private
 
     def render_success
-      if skip_authorization? || matching_token?
-        redirect_or_render authorize_response
+      if skip_authorization? || can_authorize_response?
+        redirect_or_render(authorize_response)
       elsif Doorkeeper.configuration.api_only
         render json: pre_auth
       else
@@ -33,16 +41,27 @@ module Doorkeeper
     end
 
     def render_error
-      if Doorkeeper.configuration.api_only
-        render json: pre_auth.error_response.body,
-               status: :bad_request
+      pre_auth.error_response.raise_exception! if Doorkeeper.config.raise_on_errors?
+
+      if Doorkeeper.configuration.redirect_on_errors? && pre_auth.error_response.redirectable?
+        redirect_or_render(pre_auth.error_response)
+      elsif Doorkeeper.configuration.api_only
+        render json: pre_auth.error_response.body, status: pre_auth.error_response.status
       else
-        render :error
+        render :error, locals: { error_response: pre_auth.error_response }, status: pre_auth.error_response.status
       end
     end
 
+    def can_authorize_response?
+      Doorkeeper.config.custom_access_token_attributes.empty? && pre_auth.client.application.confidential? && matching_token?
+    end
+
+    # Active access token issued for the same client and resource owner with
+    # the same set of the scopes exists?
     def matching_token?
-      Doorkeeper.config.access_token_model.matching_token_for(
+      # We don't match tokens on the custom attributes here - we're in the pre-auth here,
+      # so they haven't been supplied yet (there are no custom attributes to match on yet)
+      @matching_token ||= Doorkeeper.config.access_token_model.matching_token_for(
         pre_auth.client,
         current_resource_owner,
         pre_auth.scopes,
@@ -64,7 +83,7 @@ module Doorkeeper
             )
           end
         elsif pre_auth.form_post_response?
-          render :form_post
+          render :form_post, locals: { auth: auth }
         else
           redirect_to auth.redirect_uri, allow_other_host: true
         end
@@ -86,7 +105,7 @@ module Doorkeeper
     end
 
     def pre_auth_param_fields
-      %i[
+      custom_access_token_attributes + %i[
         client_id
         code_challenge
         code_challenge_method
@@ -98,6 +117,10 @@ module Doorkeeper
       ]
     end
 
+    def custom_access_token_attributes
+      Doorkeeper.config.custom_access_token_attributes.map(&:to_sym)
+    end
+
     def authorization
       @authorization ||= strategy.request
     end

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -4,12 +4,14 @@ module Doorkeeper
   class TokensController < Doorkeeper::ApplicationMetalController
     before_action :validate_presence_of_client, only: [:revoke]
 
+    rescue_from Errors::DoorkeeperError do |e|
+      handle_token_exception(e)
+    end
+
     def create
       headers.merge!(authorize_response.headers)
       render json: authorize_response.body,
              status: authorize_response.status
-    rescue Errors::DoorkeeperError => e
-      handle_token_exception(e)
     end
 
     # OAuth 2.0 Token Revocation - https://datatracker.ietf.org/doc/html/rfc7009
@@ -30,6 +32,7 @@ module Doorkeeper
       end
     end
 
+    # OAuth 2.0 Token Introspection - https://datatracker.ietf.org/doc/html/rfc7662
     def introspect
       introspection = OAuth::TokenIntrospection.new(server, token)
 
@@ -112,15 +115,36 @@ module Doorkeeper
       # The authorization server responds with HTTP status code 200 if the token
       # has been revoked successfully or if the client submitted an invalid
       # token
-      token.revoke if token&.accessible?
+      revocable_token.revoke if revocable_token.revocable?
     end
 
-    # Doorkeeper does not use the token_type_hint logic described in the
-    # RFC 7009 due to the refresh token implementation that is a field in
-    # the access token model.
     def token
-      @token ||= Doorkeeper.config.access_token_model.by_token(params["token"]) ||
-                 Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+      revocable_token&.token
+    end
+
+    def revocable_token
+      return @revocable_token if defined? @revocable_token
+
+      @revocable_token =
+        if params[:token_type_hint] == "refresh_token"
+          refresh_token
+        else
+          access_token || refresh_token
+        end
+    end
+
+    def refresh_token
+      token = Doorkeeper.config.access_token_model.by_refresh_token(params["token"])
+      return unless token
+
+      RevocableTokens::RevocableRefreshToken.new(token)
+    end
+
+    def access_token
+      token = Doorkeeper.config.access_token_model.by_token(params["token"])
+      return unless token
+
+      RevocableTokens::RevocableAccessToken.new(token)
     end
 
     def strategy

data/app/views/doorkeeper/authorizations/error.html.erb

@@ -3,5 +3,7 @@
 </div>
 
 <main role="main">
-  <pre><%= @pre_auth.error_response.body[:error_description] %></pre>
+  <pre>
+    <%= (local_assigns[:error_response] ? error_response : @pre_auth.error_response).body[:error_description] %>
+  </pre>
 </main>

data/app/views/doorkeeper/authorizations/form_post.html.erb

@@ -3,7 +3,7 @@
 </header>
 
 <%= form_tag @pre_auth.redirect_uri, method: :post, name: :redirect_form, authenticity_token: false do %>
-  <% @authorize_response.body.compact.each do |key, value| %>
+  <% auth.body.compact.each do |key, value| %>
     <%= hidden_field_tag key, value %>
   <% end %>
 <% end %>

data/app/views/doorkeeper/authorizations/new.html.erb

@@ -21,25 +21,25 @@
 
   <div class="actions">
     <%= form_tag oauth_authorization_path, method: :post do %>
-      <%= hidden_field_tag :client_id, @pre_auth.client.uid %>
-      <%= hidden_field_tag :redirect_uri, @pre_auth.redirect_uri %>
-      <%= hidden_field_tag :state, @pre_auth.state %>
-      <%= hidden_field_tag :response_type, @pre_auth.response_type %>
-      <%= hidden_field_tag :response_mode, @pre_auth.response_mode %>
-      <%= hidden_field_tag :scope, @pre_auth.scope %>
-      <%= hidden_field_tag :code_challenge, @pre_auth.code_challenge %>
-      <%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method %>
+      <%= hidden_field_tag :client_id, @pre_auth.client.uid, id: nil %>
+      <%= hidden_field_tag :redirect_uri, @pre_auth.redirect_uri, id: nil %>
+      <%= hidden_field_tag :state, @pre_auth.state, id: nil %>
+      <%= hidden_field_tag :response_type, @pre_auth.response_type, id: nil %>
+      <%= hidden_field_tag :response_mode, @pre_auth.response_mode, id: nil %>
+      <%= hidden_field_tag :scope, @pre_auth.scope, id: nil %>
+      <%= hidden_field_tag :code_challenge, @pre_auth.code_challenge, id: nil %>
+      <%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method, id: nil %>
       <%= submit_tag t('doorkeeper.authorizations.buttons.authorize'), class: "btn btn-success btn-lg btn-block" %>
     <% end %>
     <%= form_tag oauth_authorization_path, method: :delete do %>
-      <%= hidden_field_tag :client_id, @pre_auth.client.uid %>
-      <%= hidden_field_tag :redirect_uri, @pre_auth.redirect_uri %>
-      <%= hidden_field_tag :state, @pre_auth.state %>
-      <%= hidden_field_tag :response_type, @pre_auth.response_type %>
-      <%= hidden_field_tag :response_mode, @pre_auth.response_mode %>
-      <%= hidden_field_tag :scope, @pre_auth.scope %>
-      <%= hidden_field_tag :code_challenge, @pre_auth.code_challenge %>
-      <%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method %>
+      <%= hidden_field_tag :client_id, @pre_auth.client.uid, id: nil %>
+      <%= hidden_field_tag :redirect_uri, @pre_auth.redirect_uri, id: nil %>
+      <%= hidden_field_tag :state, @pre_auth.state, id: nil %>
+      <%= hidden_field_tag :response_type, @pre_auth.response_type, id: nil %>
+      <%= hidden_field_tag :response_mode, @pre_auth.response_mode, id: nil %>
+      <%= hidden_field_tag :scope, @pre_auth.scope, id: nil %>
+      <%= hidden_field_tag :code_challenge, @pre_auth.code_challenge, id: nil %>
+      <%= hidden_field_tag :code_challenge_method, @pre_auth.code_challenge_method, id: nil %>
       <%= submit_tag t('doorkeeper.authorizations.buttons.deny'), class: "btn btn-danger btn-lg btn-block" %>
     <% end %>
   </div>

data/config/locales/en.yml

@@ -96,11 +96,15 @@ en:
           unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
           missing_param: 'Missing required parameter: %{value}.'
           request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
+          invalid_code_challenge: 'Code challenge is required.'
         invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'
         access_denied: 'The resource owner or authorization server denied the request.'
         invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
-        invalid_code_challenge_method: 'The code challenge method must be plain or S256.'
+        invalid_code_challenge_method:
+          zero: 'The authorization server does not support PKCE as there are no accepted code_challenge_method values.'
+          one: 'The code_challenge_method must be %{challenge_methods}.'
+          other: 'The code_challenge_method must be one of %{challenge_methods}.'
         server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
         temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'
 

data/lib/doorkeeper/config/abstract_builder.rb

@@ -12,7 +12,7 @@ module Doorkeeper
       #
       def initialize(config = Config.new, &block)
         @config = config
-        instance_eval(&block)
+        instance_eval(&block) if block_given?
       end
 
       # Builds and validates configuration.

data/lib/doorkeeper/config/validations.rb

@@ -11,6 +11,7 @@ module Doorkeeper
         validate_reuse_access_token_value
         validate_token_reuse_limit
         validate_secret_strategies
+        validate_pkce_code_challenge_methods
       end
 
       private
@@ -24,8 +25,8 @@ module Doorkeeper
         return if !reuse_access_token || strategy.allows_restoring_secrets?
 
         ::Rails.logger.warn(
-          "You have configured both reuse_access_token " \
-          "AND strategy strategy '#{strategy}' that cannot restore tokens. " \
+          "[DOORKEEPER] You have configured both reuse_access_token " \
+          "AND '#{strategy}' strategy which cannot restore tokens. " \
           "This combination is unsupported. reuse_access_token will be disabled",
         )
         @reuse_access_token = false
@@ -43,11 +44,22 @@ module Doorkeeper
                   (token_reuse_limit > 0 && token_reuse_limit <= 100)
 
         ::Rails.logger.warn(
-          "You have configured an invalid value for token_reuse_limit option. " \
+          "[DOORKEEPER] You have configured an invalid value for token_reuse_limit option. " \
           "It will be set to default 100",
         )
         @token_reuse_limit = 100
       end
+
+      def validate_pkce_code_challenge_methods
+        return if pkce_code_challenge_methods.all? {|method| method =~ /^plain$|^S256$/ }
+
+        ::Rails.logger.warn(
+          "[DOORKEEPER] You have configured an invalid value for pkce_code_challenge_methods option. " \
+          "It will be set to default ['plain', 'S256']",
+        )
+
+        @pkce_code_challenge_methods = ['plain', 'S256']
+      end
     end
   end
 end