doorkeeper 5.4.0 → 5.5.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 76b3a86e21584548c9b0c176512c844bee90ba9c447aaf09741abf54488093bb
-  data.tar.gz: ce7a4ffdf3b0aebaa69f703b70f0109276205c9ec0b2f1e2c7b3e88cb4746f8b
+  metadata.gz: 1099136de2b2fe0f0443f88bdbe2260ebed52efb2aab31d1d35bb7aa9f801acd
+  data.tar.gz: '09837820494b55d6bd26e2d997c203b221bc7951e74a6d1e2197122a86f0f1b2'
 SHA512:
-  metadata.gz: 7192f9711713f15d323e85aa3ad4274b314a55dcc89ba945de52dca5dbbad2e267dc3252da353cd4991fae365a1161fd91d06c0bfcaba767163b4c54eafca125
-  data.tar.gz: b5f324cfe8064b32254ca1c045bc24c54ab21a485bf3c6a9726bc995ab9dc24516872bf8ee314850b65f6ce3d879d0497e67416ea78c0f8f7566bdbfd48e024a
+  metadata.gz: 9197207fe8db140d8658aa12cd7422bfd84a001227a9f0841ebf5d92da4be531cfd7dea26aad584fff3573bc066b8fadc4e9d4e70bcc6dd5978253d94a9d66a4
+  data.tar.gz: 3b37c794027fcdbec12ef314bd6a927e111c2aed2044f3ead9f05893400e7221bf9adf98203efe7a225b395d5644326b943c144c13fb0caeccff5dff20a56ca5

data/CHANGELOG.md

@@ -7,7 +7,29 @@ User-visible changes worth mentioning.
 
 ## master
 
-- [#PR ID] Your PR description.
+- [#PR ID] Add your PR description here.
+
+## 5.5.0.rc1
+
+- [#1435] Make error response not redirectable when client is unauthorized
+- [#1426] Ensure ActiveRecord callbacks are executed on token revocation.
+- [#1407] Remove redundant and complex to support helpers froms tests (`should_have_json`, etc).
+- [#1416] Don't add introspection route if token introspection completely disabled.
+- [#1410] Properly memoize `current_resource_owner` value (consider `nil` and `false` values).
+- [#1415] Ignore PKCE params for non-PKCE grants.
+- [#1418] Add ability to register custom OAuth Grant Flows.
+- [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
+  
+  **[IMPORTANT]** you need to create a new OAuth client (`Doorkeeper::Application`) if yoo didn't
+    have it before and use client credentials in HTTP Basic auth if you previously used this grant
+    flow without client authentication. For migration purposes you could enable
+    `skip_client_authentication_for_password_grant` configuration option to `true`, but such behavior
+    (as well as configuration option) would be completely removed in a future version of Doorkeeper.
+    All the users of your provider application now need to include client credentials when they use
+    this grant flow.
+
+- [#1421] Add Resource Owner instance to authorization hook context for `custom_access_token_expires_in`
+  configuration option to allow resource owner based Access Tokens TTL.
 
 ## 5.4.0
 

data/app/controllers/doorkeeper/authorizations_controller.rb

@@ -83,7 +83,8 @@ module Doorkeeper
         code_challenge_method
         response_type
         redirect_uri
-        scope state
+        scope
+        state
       ]
     end
 

data/app/controllers/doorkeeper/tokens_controller.rb

@@ -69,6 +69,9 @@ module Doorkeeper
     private
 
     # OAuth 2.0 Section 2.1 defines two client types, "public" & "confidential".
+    #
+    # RFC7009
+    # Section 5. Security Considerations
     # A malicious client may attempt to guess valid tokens on this endpoint
     # by making revocation requests against potential token strings.
     # According to this specification, a client's request must contain a

data/config/locales/en.yml

@@ -93,7 +93,6 @@ en:
         invalid_request:
           unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
           missing_param: 'Missing required parameter: %{value}.'
-          not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
           request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
         invalid_redirect_uri: "The requested redirect uri is malformed or doesn't match client redirect URI."
         unauthorized_client: 'The client is not authorized to perform this request using this method.'

data/lib/doorkeeper.rb

@@ -7,6 +7,7 @@ require "doorkeeper/engine"
 #
 module Doorkeeper
   autoload :Errors, "doorkeeper/errors"
+  autoload :GrantFlow, "doorkeeper/grant_flow"
   autoload :OAuth, "doorkeeper/oauth"
   autoload :Rake, "doorkeeper/rake"
   autoload :Request, "doorkeeper/request"

data/lib/doorkeeper/config.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
-require "doorkeeper/config/option"
 require "doorkeeper/config/abstract_builder"
+require "doorkeeper/config/option"
+require "doorkeeper/config/validations"
 
 module Doorkeeper
   # Defines a MissingConfiguration error for a missing Doorkeeper configuration
@@ -219,6 +220,7 @@ module Doorkeeper
     mattr_reader(:builder_class) { Builder }
 
     extend Option
+    include Validations
 
     option :resource_owner_authenticator,
            as: :authenticate_resource_owner,
@@ -267,7 +269,6 @@ module Doorkeeper
     option :grant_flows,                    default: %w[authorization_code client_credentials]
     option :handle_auth_errors,             default: :render
     option :token_lookup_batch_size,        default: 10_000
-
     # Sets the token_reuse_limit
     # It will be used only when reuse_access_token option in enabled
     # By default it will be 100
@@ -275,6 +276,11 @@ module Doorkeeper
     # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1189
     option :token_reuse_limit,              default: 100
 
+    # [NOTE]: will be removed in a future version of Doorkeeper
+    option :skip_client_authentication_for_password_grant,
+           default: false,
+           deprecated: { message: "OAuth RFC requires client authentication so you need at least to create one" }
+
     option :active_record_options,
            default: {},
            deprecated: { message: "Customize Doorkeeper models instead" }
@@ -423,13 +429,6 @@ module Doorkeeper
                 :token_secret_fallback_strategy,
                 :application_secret_fallback_strategy
 
-    # Return the valid subset of this configuration
-    def validate!
-      validate_reuse_access_token_value
-      validate_token_reuse_limit
-      validate_secret_strategies
-    end
-
     # Doorkeeper Access Token model class.
     #
     # @return [ActiveRecord::Base, Mongoid::Document, Sequel::Model]
@@ -545,12 +544,77 @@ module Doorkeeper
       ]
     end
 
+    def enabled_grant_flows
+      @enabled_grant_flows ||= calculate_grant_flows.map { |name| Doorkeeper::GrantFlow.get(name) }.compact
+    end
+
+    def authorization_response_flows
+      @authorization_response_flows ||= enabled_grant_flows.select(&:handles_response_type?) +
+                                        deprecated_authorization_flows
+    end
+
+    def token_grant_flows
+      @token_grant_flows ||= calculate_token_grant_flows
+    end
+
     def authorization_response_types
-      @authorization_response_types ||= calculate_authorization_response_types.freeze
+      authorization_response_flows.map(&:response_type_matches)
     end
 
     def token_grant_types
-      @token_grant_types ||= calculate_token_grant_types.freeze
+      token_grant_flows.map(&:grant_type_matches)
+    end
+
+    # [NOTE]: deprecated and will be removed soon
+    def deprecated_token_grant_types_resolver
+      @deprecated_token_grant_types ||= calculate_token_grant_types
+    end
+
+    # [NOTE]: deprecated and will be removed soon
+    def deprecated_authorization_flows
+      response_types = calculate_authorization_response_types
+
+      if response_types.any?
+        ::Kernel.warn <<~WARNING
+          Please, don't patch Doorkeeper::Config#calculate_authorization_response_types method.
+          Register your custom grant flows using the public API:
+          `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+        WARNING
+      end
+
+      response_types.map do |response_type|
+        Doorkeeper::GrantFlow::FallbackFlow.new(response_type, response_type_matches: response_type)
+      end
+    end
+
+    # [NOTE]: deprecated and will be removed soon
+    def calculate_authorization_response_types
+      []
+    end
+
+    # [NOTE]: deprecated and will be removed soon
+    def calculate_token_grant_types
+      types = grant_flows - ["implicit"]
+      types << "refresh_token" if refresh_token_enabled?
+      types
+    end
+
+    # Calculates grant flows configured by the user in Doorkeeper
+    # configuration considering registered aliases that is exposed
+    # to single or multiple other flows.
+    #
+    def calculate_grant_flows
+      configured_flows = grant_flows.map(&:to_s)
+      aliases = Doorkeeper::GrantFlow.aliases.keys.map(&:to_s)
+
+      flows = configured_flows - aliases
+      aliases.each do |flow_alias|
+        next unless configured_flows.include?(flow_alias)
+
+        flows.concat(Doorkeeper::GrantFlow.expand_alias(flow_alias))
+      end
+
+      flows.flatten.uniq
     end
 
     def allow_blank_redirect_uri?(application = nil)
@@ -579,57 +643,10 @@ module Doorkeeper
       !!(defined?(var) && var)
     end
 
-    # Determines what values are acceptable for 'response_type' param in
-    # authorization request endpoint, and return them as an array of strings.
-    #
-    def calculate_authorization_response_types
-      types = []
-      types << "code"  if grant_flows.include? "authorization_code"
-      types << "token" if grant_flows.include? "implicit"
-      types
-    end
-
-    # Determines what values are acceptable for 'grant_type' param token
-    # request endpoint, and return them in array.
-    #
-    def calculate_token_grant_types
-      types = grant_flows - ["implicit"]
-      types << "refresh_token" if refresh_token_enabled?
-      types
-    end
-
-    # Determine whether +reuse_access_token+ and a non-restorable
-    # +token_secret_strategy+ have both been activated.
-    #
-    # In that case, disable reuse_access_token value and warn the user.
-    def validate_reuse_access_token_value
-      strategy = token_secret_strategy
-      return if !reuse_access_token || strategy.allows_restoring_secrets?
-
-      ::Rails.logger.warn(
-        "You have configured both reuse_access_token " \
-        "AND strategy strategy '#{strategy}' that cannot restore tokens. " \
-        "This combination is unsupported. reuse_access_token will be disabled",
-      )
-      @reuse_access_token = false
-    end
-
-    # Validate that the provided strategies are valid for
-    # tokens and applications
-    def validate_secret_strategies
-      token_secret_strategy.validate_for :token
-      application_secret_strategy.validate_for :application
-    end
-
-    def validate_token_reuse_limit
-      return if !reuse_access_token ||
-                (token_reuse_limit > 0 && token_reuse_limit <= 100)
-
-      ::Rails.logger.warn(
-        "You have configured an invalid value for token_reuse_limit option. " \
-        "It will be set to default 100",
-      )
-      @token_reuse_limit = 100
+    def calculate_token_grant_flows
+      flows = enabled_grant_flows.select(&:handles_grant_type?)
+      flows << Doorkeeper::GrantFlow.get("refresh_token") if refresh_token_enabled?
+      flows
     end
   end
 end

data/lib/doorkeeper/config/option.rb

@@ -45,9 +45,7 @@ module Doorkeeper
           define_method name do |*args, &block|
             if (deprecation_opts = options[:deprecated])
               warning = "[DOORKEEPER] #{name} has been deprecated and will soon be removed"
-              if deprecation_opts.is_a?(Hash)
-                warning = "#{warning}\n#{deprecation_opts.fetch(:message)}"
-              end
+              warning = "#{warning}\n#{deprecation_opts.fetch(:message)}" if deprecation_opts.is_a?(Hash)
 
               Kernel.warn(warning)
             end

data/lib/doorkeeper/config/validations.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  class Config
+    # Doorkeeper configuration validator.
+    #
+    module Validations
+      # Validates configuration options to be set properly.
+      #
+      def validate!
+        validate_reuse_access_token_value
+        validate_token_reuse_limit
+        validate_secret_strategies
+      end
+
+      private
+
+      # Determine whether +reuse_access_token+ and a non-restorable
+      # +token_secret_strategy+ have both been activated.
+      #
+      # In that case, disable reuse_access_token value and warn the user.
+      def validate_reuse_access_token_value
+        strategy = token_secret_strategy
+        return if !reuse_access_token || strategy.allows_restoring_secrets?
+
+        ::Rails.logger.warn(
+          "You have configured both reuse_access_token " \
+          "AND strategy strategy '#{strategy}' that cannot restore tokens. " \
+          "This combination is unsupported. reuse_access_token will be disabled",
+        )
+        @reuse_access_token = false
+      end
+
+      # Validate that the provided strategies are valid for
+      # tokens and applications
+      def validate_secret_strategies
+        token_secret_strategy.validate_for(:token)
+        application_secret_strategy.validate_for(:application)
+      end
+
+      def validate_token_reuse_limit
+        return if !reuse_access_token ||
+                  (token_reuse_limit > 0 && token_reuse_limit <= 100)
+
+        ::Rails.logger.warn(
+          "You have configured an invalid value for token_reuse_limit option. " \
+          "It will be set to default 100",
+        )
+        @token_reuse_limit = 100
+      end
+    end
+  end
+end

data/lib/doorkeeper/grant_flow.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "doorkeeper/grant_flow/flow"
+require "doorkeeper/grant_flow/fallback_flow"
+require "doorkeeper/grant_flow/registry"
+
+module Doorkeeper
+  module GrantFlow
+    extend Registry
+
+    register(
+      :implicit,
+      response_type_matches: "token",
+      response_type_strategy: Doorkeeper::Request::Token,
+    )
+
+    register(
+      :authorization_code,
+      response_type_matches: "code",
+      response_type_strategy: Doorkeeper::Request::Code,
+      grant_type_matches: "authorization_code",
+      grant_type_strategy: Doorkeeper::Request::AuthorizationCode,
+    )
+
+    register(
+      :client_credentials,
+      grant_type_matches: "client_credentials",
+      grant_type_strategy: Doorkeeper::Request::ClientCredentials,
+    )
+
+    register(
+      :password,
+      grant_type_matches: "password",
+      grant_type_strategy: Doorkeeper::Request::Password,
+    )
+
+    register(
+      :refresh_token,
+      grant_type_matches: "refresh_token",
+      grant_type_strategy: Doorkeeper::Request::RefreshToken,
+    )
+  end
+end

data/lib/doorkeeper/grant_flow/fallback_flow.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module GrantFlow
+    class FallbackFlow < Flow
+      def handles_grant_type?
+        false
+      end
+
+      def handles_response_type?
+        false
+      end
+    end
+  end
+end

data/lib/doorkeeper/grant_flow/flow.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module GrantFlow
+    class Flow
+      attr_reader :name, :grant_type_matches, :grant_type_strategy,
+                  :response_type_matches, :response_type_strategy
+
+      def initialize(name, **options)
+        @name = name
+        @grant_type_matches = options[:grant_type_matches]
+        @grant_type_strategy = options[:grant_type_strategy]
+        @response_type_matches = options[:response_type_matches]
+        @response_type_strategy = options[:response_type_strategy]
+      end
+
+      def handles_grant_type?
+        grant_type_matches.present?
+      end
+
+      def handles_response_type?
+        response_type_matches.present?
+      end
+
+      def matches_grant_type?(value)
+        grant_type_matches === value
+      end
+
+      def matches_response_type?(value)
+        response_type_matches === value
+      end
+    end
+  end
+end

data/lib/doorkeeper/grant_flow/registry.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module GrantFlow
+    module Registry
+      mattr_accessor :flows
+      self.flows = {}
+
+      mattr_accessor :aliases
+      self.aliases = {}
+
+      # Allows to register custom OAuth grant flow so that Doorkeeper
+      # could recognize and process it.
+      #
+      def register(name_or_flow, **options)
+        unless name_or_flow.is_a?(Doorkeeper::GrantFlow::Flow)
+          name_or_flow = Flow.new(name_or_flow, **options)
+        end
+
+        flow_key = name_or_flow.name.to_sym
+
+        if flows.key?(flow_key)
+          ::Kernel.warn <<~WARNING
+            [DOORKEEPER] '#{flow_key}' grant flow already registered and will be overridden
+            in #{caller(1..1).first}
+          WARNING
+        end
+
+        flows[flow_key] = name_or_flow
+      end
+
+      # Allows to register aliases that could be used in `grant_flows`
+      # configuration option. It is possible to have aliases like 1:1 or
+      # 1:N, i.e. "implicit_oidc" => ['token', 'id_token', 'id_token token'].
+      #
+      def register_alias(alias_name, **options)
+        aliases[alias_name.to_sym] = Array.wrap(options.fetch(:as))
+      end
+
+      def expand_alias(alias_name)
+        aliases.fetch(alias_name.to_sym, [])
+      end
+
+      # [NOTE]: make it to use #fetch after removing fallbacks
+      def get(name)
+        flows[name.to_sym]
+      end
+    end
+  end
+end

data/lib/doorkeeper/helpers/controller.rb

@@ -16,6 +16,8 @@ module Doorkeeper
 
       # :doc:
       def current_resource_owner
+        return @current_resource_owner if defined?(@current_resource_owner)
+
         @current_resource_owner ||= begin
           instance_eval(&Doorkeeper.config.authenticate_resource_owner)
         end

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -94,8 +94,8 @@ module Doorkeeper
       # Interface to enumerate access token records in batches in order not
       # to bloat the memory. Could be overloaded in any ORM extension.
       #
-      def find_access_token_in_batches(relation, *args, &block)
-        relation.find_in_batches(*args, &block)
+      def find_access_token_in_batches(relation, **args, &block)
+        relation.find_in_batches(**args, &block)
       end
 
       # Enumerates AccessToken records in batches to find a matching token.
@@ -377,7 +377,7 @@ module Doorkeeper
       return unless self.class.refresh_token_revoked_on_use?
 
       old_refresh_token&.revoke
-      update_column(:previous_refresh_token, "")
+      update_attribute(:previous_refresh_token, "")
     end
 
     private

data/lib/doorkeeper/models/concerns/revocable.rb

@@ -9,7 +9,7 @@ module Doorkeeper
       # @param clock [Time] time object
       #
       def revoke(clock = Time)
-        update_column(:revoked_at, clock.now.utc)
+        update_attribute(:revoked_at, clock.now.utc)
       end
 
       # Indicates whether the object has been revoked.

data/lib/doorkeeper/oauth/authorization/context.rb

@@ -4,12 +4,12 @@ module Doorkeeper
   module OAuth
     module Authorization
       class Context
-        attr_reader :client, :grant_type, :scopes
+        attr_reader :client, :grant_type, :resource_owner, :scopes
 
-        def initialize(client, grant_type, scopes)
-          @client = client
-          @grant_type = grant_type
-          @scopes = scopes
+        def initialize(**attributes)
+          attributes.each do |name, value|
+            instance_variable_set(:"@#{name}", value) if respond_to?(name)
+          end
         end
       end
     end

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -7,7 +7,7 @@ module Doorkeeper
         attr_reader :pre_auth, :resource_owner, :token
 
         class << self
-          def build_context(pre_auth_or_oauth_client, grant_type, scopes)
+          def build_context(pre_auth_or_oauth_client, grant_type, scopes, resource_owner)
             oauth_client = if pre_auth_or_oauth_client.respond_to?(:application)
                              pre_auth_or_oauth_client.application
                            elsif pre_auth_or_oauth_client.respond_to?(:client)
@@ -17,9 +17,10 @@ module Doorkeeper
                            end
 
             Doorkeeper::OAuth::Authorization::Context.new(
-              oauth_client,
-              grant_type,
-              scopes,
+              client: oauth_client,
+              grant_type: grant_type,
+              scopes: scopes,
+              resource_owner: resource_owner,
             )
           end
 
@@ -55,6 +56,7 @@ module Doorkeeper
             pre_auth.client,
             Doorkeeper::OAuth::IMPLICIT,
             pre_auth.scopes,
+            resource_owner,
           )
 
           @token = Doorkeeper.config.access_token_model.find_or_create_for(

data/lib/doorkeeper/oauth/authorization/uri_builder.rb

@@ -23,7 +23,7 @@ module Doorkeeper
           private
 
           def build_query(parameters = {})
-            parameters = parameters.reject { |_, value| value.blank? }
+            parameters.reject! { |_, value| value.blank? }
             Rack::Utils.build_query(parameters)
           end
         end

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -3,7 +3,6 @@
 module Doorkeeper
   module OAuth
     class AuthorizationCodeRequest < BaseRequest
-      validate :pkce_support, error: :invalid_request
       validate :params,       error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
@@ -32,12 +31,6 @@ module Doorkeeper
 
           grant.revoke
 
-          resource_owner = if Doorkeeper.config.polymorphic_resource_owner?
-                             grant.resource_owner
-                           else
-                             grant.resource_owner_id
-                           end
-
           find_or_create_access_token(
             grant.application,
             resource_owner,
@@ -49,16 +42,16 @@ module Doorkeeper
         super
       end
 
-      def pkce_supported?
-        Doorkeeper.config.access_grant_model.pkce_supported?
+      def resource_owner
+        if Doorkeeper.config.polymorphic_resource_owner?
+          grant.resource_owner
+        else
+          grant.resource_owner_id
+        end
       end
 
-      def validate_pkce_support
-        @invalid_request_reason = :not_support_pkce if grant &&
-                                                       !pkce_supported? &&
-                                                       code_verifier.present?
-
-        @invalid_request_reason.nil?
+      def pkce_supported?
+        Doorkeeper.config.access_grant_model.pkce_supported?
       end
 
       def validate_params
@@ -91,8 +84,8 @@ module Doorkeeper
       # if either side (server or client) request PKCE, check the verifier
       # against the DB - if PKCE is supported
       def validate_code_verifier
-        return true unless grant.uses_pkce? || code_verifier
-        return false unless pkce_supported?
+        return true unless pkce_supported?
+        return grant.code_challenge.blank? if code_verifier.blank?
 
         if grant.code_challenge_method == "S256"
           grant.code_challenge == generate_code_challenge(code_verifier)

data/lib/doorkeeper/oauth/base_request.rb

@@ -27,7 +27,7 @@ module Doorkeeper
       end
 
       def find_or_create_access_token(client, resource_owner, scopes, server)
-        context = Authorization::Token.build_context(client, grant_type, scopes)
+        context = Authorization::Token.build_context(client, grant_type, scopes, resource_owner)
         @access_token = server_config.access_token_model.find_or_create_for(
           application: client,
           resource_owner: resource_owner,

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -39,7 +39,8 @@ module Doorkeeper
         end
 
         def lookup_existing_token?
-          server_config.reuse_access_token || server_config.revoke_previous_client_credentials_token?
+          server_config.reuse_access_token ||
+            server_config.revoke_previous_client_credentials_token?
         end
 
         def find_existing_token_for(client, scopes)

data/lib/doorkeeper/oauth/client_credentials/issuer.rb

@@ -30,6 +30,7 @@ module Doorkeeper
             client,
             Doorkeeper::OAuth::CLIENT_CREDENTIALS,
             scopes,
+            nil,
           )
           ttl = Authorization::Token.access_token_expires_in(@server, context)
 

data/lib/doorkeeper/oauth/code_response.rb

@@ -25,21 +25,31 @@ module Doorkeeper
         if URIChecker.oob_uri?(pre_auth.redirect_uri)
           auth.oob_redirect
         elsif response_on_fragment
-          Authorization::URIBuilder.uri_with_fragment(
-            pre_auth.redirect_uri,
-            access_token: auth.token.plaintext_token,
-            token_type: auth.token.token_type,
-            expires_in: auth.token.expires_in_seconds,
-            state: pre_auth.state,
-          )
+          uri_with_fragment
         else
-          Authorization::URIBuilder.uri_with_query(
-            pre_auth.redirect_uri,
-            code: auth.token.plaintext_token,
-            state: pre_auth.state,
-          )
+          uri_with_query
         end
       end
+
+      private
+
+      def uri_with_fragment
+        Authorization::URIBuilder.uri_with_fragment(
+          pre_auth.redirect_uri,
+          access_token: auth.token.plaintext_token,
+          token_type: auth.token.token_type,
+          expires_in: auth.token.expires_in_seconds,
+          state: pre_auth.state,
+        )
+      end
+
+      def uri_with_query
+        Authorization::URIBuilder.uri_with_query(
+          pre_auth.redirect_uri,
+          code: auth.token.plaintext_token,
+          state: pre_auth.state,
+        )
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/error_response.rb

@@ -5,6 +5,8 @@ module Doorkeeper
     class ErrorResponse < BaseResponse
       include OAuth::Helpers
 
+      NON_REDIRECTABLE_STATES = %i[invalid_redirect_uri invalid_client unauthorized_client].freeze
+
       def self.from_request(request, attributes = {})
         new(
           attributes.merge(
@@ -32,7 +34,7 @@ module Doorkeeper
       end
 
       def status
-        if name == :invalid_client
+        if name == :invalid_client || name == :unauthorized_client
           :unauthorized
         else
           :bad_request
@@ -40,8 +42,7 @@ module Doorkeeper
       end
 
       def redirectable?
-        name != :invalid_redirect_uri && name != :invalid_client &&
-          !URIChecker.oob_uri?(@redirect_uri)
+        !NON_REDIRECTABLE_STATES.include?(name) && !URIChecker.oob_uri?(@redirect_uri)
       end
 
       def redirect_uri

data/lib/doorkeeper/oauth/helpers/scope_checker.rb

@@ -12,9 +12,7 @@ module Doorkeeper
             @scope_str = scope_str
             @valid_scopes = valid_scopes(server_scopes, app_scopes)
 
-            if grant_type
-              @scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym]
-            end
+            @scopes_by_grant_type = Doorkeeper.config.scopes_by_grant_type[grant_type.to_sym] if grant_type
           end
 
           def valid?

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -43,8 +43,27 @@ module Doorkeeper
         resource_owner.present?
       end
 
+      # Section 4.3.2. Access Token Request for Resource Owner Password Credentials Grant:
+      #
+      #   If the client type is confidential or the client was issued client credentials (or assigned
+      #   other authentication requirements), the client MUST authenticate with the authorization
+      #   server as described in Section 3.2.1.
+      #
+      #   The authorization server MUST:
+      #
+      #    o  require client authentication for confidential clients or for any  client that was
+      #       issued client credentials (or with other authentication requirements)
+      #
+      #    o  authenticate the client if client authentication is included,
+      #
+      #   @see https://tools.ietf.org/html/rfc6749#section-4.3
+      #
       def validate_client
-        !parameters[:client_id] || client.present?
+        if Doorkeeper.config.skip_client_authentication_for_password_grant
+          !parameters[:client_id] || client.present?
+        else
+          client.present?
+        end
       end
 
       def validate_client_supports_grant_flow

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -84,6 +84,11 @@ module Doorkeeper
         Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client.application)
       end
 
+      def validate_resource_owner_authorize_for_client
+        # The `authorize_resource_owner_for_client` config option is used for this validation
+        client.application.authorized_for_resource_owner?(@resource_owner)
+      end
+
       def validate_redirect_uri
         return false if redirect_uri.blank?
 
@@ -104,7 +109,9 @@ module Doorkeeper
       end
 
       def validate_response_type
-        server.authorization_response_types.include?(response_type)
+        server.authorization_response_flows.any? do |flow|
+          flow.matches_response_type?(response_type)
+        end
       end
 
       def validate_scopes
@@ -117,15 +124,12 @@ module Doorkeeper
       end
 
       def validate_code_challenge_method
+        return true unless Doorkeeper.config.access_grant_model.pkce_supported?
+
         code_challenge.blank? ||
           (code_challenge_method.present? && code_challenge_method =~ /^plain$|^S256$/)
       end
 
-      def validate_resource_owner_authorize_for_client
-        # The `authorize_resource_owner_for_client` config option is used for this validation
-        client.application.authorized_for_resource_owner?(@resource_owner)
-      end
-
       def response_on_fragment?
         response_type == "token"
       end

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -62,6 +62,19 @@ module Doorkeeper
           attributes[:previous_refresh_token] = refresh_token.refresh_token
         end
 
+        # RFC6749
+        # 1.5.  Refresh Token
+        #
+        # Refresh tokens are issued to the client by the authorization server and are
+        # used to obtain a new access token when the current access token
+        # becomes invalid or expires, or to obtain additional access tokens
+        # with identical or narrower scope (access tokens may have a shorter
+        # lifetime and fewer permissions than authorized by the resource
+        # owner).
+        #
+        # Here we assume that TTL of the token received after refreshing should be
+        # the same as that of the original token.
+        #
         @access_token = server_config.access_token_model.create_for(
           application: refresh_token.application,
           resource_owner: resource_owner,

data/lib/doorkeeper/rails/routes.rb

@@ -38,7 +38,7 @@ module Doorkeeper
           map_route(:authorizations, :authorization_routes)
           map_route(:tokens, :token_routes)
           map_route(:tokens, :revoke_routes)
-          map_route(:tokens, :introspect_routes)
+          map_route(:tokens, :introspect_routes) unless Doorkeeper.config.allow_token_introspection.is_a?(FalseClass)
           map_route(:applications, :application_routes)
           map_route(:authorized_applications, :authorized_applications_routes)
           map_route(:token_info, :token_info_routes)

data/lib/doorkeeper/request.rb

@@ -4,32 +4,69 @@ module Doorkeeper
   module Request
     class << self
       def authorization_strategy(response_type)
-        build_strategy_class(response_type)
+        grant_flow = authorization_flows.detect do |flow|
+          flow.matches_response_type?(response_type)
+        end
+
+        if grant_flow
+          grant_flow.response_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          build_fallback_strategy_class(response_type)
+        end
       end
 
       def token_strategy(grant_type)
         raise Errors::MissingRequiredParameter, :grant_type if grant_type.blank?
 
-        get_strategy(grant_type, token_grant_types)
-      rescue NameError
-        raise Errors::InvalidTokenStrategy
-      end
+        grant_flow = token_flows.detect do |flow|
+          flow.matches_grant_type?(grant_type)
+        end
 
-      def get_strategy(grant_type, available)
-        raise NameError unless available.include?(grant_type.to_s)
+        if grant_flow
+          grant_flow.grant_type_strategy
+        else
+          # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+          # For retro-compatibility only
+          raise Errors::InvalidTokenStrategy unless available.include?(grant_type.to_s)
 
-        build_strategy_class(grant_type)
+          strategy_class = build_fallback_strategy_class(grant_type)
+          raise Errors::InvalidTokenStrategy unless strategy_class
+
+          strategy_class
+        end
       end
 
       private
 
-      def token_grant_types
-        Doorkeeper.config.token_grant_types
+      def authorization_flows
+        Doorkeeper.configuration.authorization_response_flows
+      end
+
+      def token_flows
+        Doorkeeper.configuration.token_grant_flows
       end
 
-      def build_strategy_class(grant_or_request_type)
+      # [NOTE]: this will be removed in a newer versions of Doorkeeper.
+      # For retro-compatibility only
+      def available
+        Doorkeeper.config.deprecated_token_grant_types_resolver
+      end
+
+      def build_fallback_strategy_class(grant_or_request_type)
         strategy_class_name = grant_or_request_type.to_s.tr(" ", "_").camelize
-        "Doorkeeper::Request::#{strategy_class_name}".constantize
+        fallback_strategy = "Doorkeeper::Request::#{strategy_class_name}".constantize
+
+        ::Kernel.warn <<~WARNING
+          [DOORKEEPER] #{fallback_strategy} found using fallback, it must be
+          registered using `Doorkeeper::GrantFlow.register(grant_flow_name, **options)`.
+          This functionality will be removed in a newer versions of Doorkeeper.
+        WARNING
+
+        fallback_strategy
+      rescue NameError
+        raise Errors::InvalidTokenStrategy
       end
     end
   end

data/lib/doorkeeper/version.rb

@@ -8,9 +8,9 @@ module Doorkeeper
   module VERSION
     # Semantic versioning
     MAJOR = 5
-    MINOR = 4
+    MINOR = 5
     TINY = 0
-    PRE = nil
+    PRE = "rc1"
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -103,12 +103,13 @@ Doorkeeper.configure do
   #
   # `context` has the following properties available:
   #
-  # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
-  # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
-  # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #   * `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+  #   * `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+  #   * `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+  #   * `resource_owner` - authorized resource owner instance (if present)
   #
   # custom_access_token_expires_in do |context|
-  #   context.client.application.additional_settings.implicit_oauth_expiration
+  #   context.client.additional_settings.implicit_oauth_expiration
   # end
 
   # Use a custom class for generating the access token.
@@ -167,8 +168,7 @@ Doorkeeper.configure do
   # since plain values can no longer be retrieved.
   #
   # Note: If you are already a user of doorkeeper and have existing tokens
-  # in your installation, they will be invalid without enabling the additional
-  # setting `fallback_to_plain_secrets` below.
+  # in your installation, they will be invalid without adding 'fallback: :plain'.
   #
   # hash_token_secrets
   # By default, token secrets will be hashed using the
@@ -202,7 +202,9 @@ Doorkeeper.configure do
   # This will ensure that old access tokens and secrets
   # will remain valid even if the hashing above is enabled.
   #
-  # fallback_to_plain_secrets
+  # This can be done by adding 'fallback: plain', e.g. :
+  #
+  # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt', fallback: :plain
 
   # Issue access tokens with refresh token (disabled by default), you may also
   # pass a block which accepts `context` to customize when to give a refresh

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.4.0
+  version: 5.5.0.rc1
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-11 00:00:00.000000000 Z
+date: 2020-08-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -103,14 +103,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '6.0'
 - !ruby/object:Gem::Dependency
   name: generator_spec
   requirement: !ruby/object:Gem::Requirement
@@ -205,8 +205,13 @@ files:
 - lib/doorkeeper/config.rb
 - lib/doorkeeper/config/abstract_builder.rb
 - lib/doorkeeper/config/option.rb
+- lib/doorkeeper/config/validations.rb
 - lib/doorkeeper/engine.rb
 - lib/doorkeeper/errors.rb
+- lib/doorkeeper/grant_flow.rb
+- lib/doorkeeper/grant_flow/fallback_flow.rb
+- lib/doorkeeper/grant_flow/flow.rb
+- lib/doorkeeper/grant_flow/registry.rb
 - lib/doorkeeper/grape/authorization_decorator.rb
 - lib/doorkeeper/grape/helpers.rb
 - lib/doorkeeper/helpers/controller.rb
@@ -327,9 +332,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.0.2
 signing_key: