See https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions for upgrade guides.
User-visible changes worth mentioning.
- [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not configured by developers..
- [#1103] Allow customizing use_refresh_token
- [#1089] Removed enable_pkce_without_secret configuration option
- [#1102] Expiration time based on scopes
- [#1099] All the configuration variables in
Doorkeeper.configuration
now always return a non-nil value (true
orfalse
) - [#1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
in
doorkeeper.rb
- [#996] Expiration Time Base On Grant Type
- [#997] Allow PKCE authorization_code flow as specified in RFC7636
- [#907] Fix lookup for matching tokens in certain edge-cases
- [#992] Add API option to use Doorkeeper without management views for API only
Rails applications (
api_only
) - [#1045] Validate redirect_uri as the native URI when making authorization code requests
- [#1048] Remove deprecated
Doorkeeper#configured?
,Doorkeeper#database_installed?
, andDoorkeeper#installed?
method - [#1031] Allow public clients to authenticate without
client_secret
. Define an app as either public or private/confidential - [#1010] Add configuration to enforce configured scopes (
default_scopes
andoptional_scopes
) for applications - [#1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
- [#1064] Add :before_successful_authorization and :after_successful_authorization hooks
- [#1069] Upgrade Bootstrap to 4 for Admin
- [#1068] Add rake task to cleanup databases that can become large over time
- [#1072] AuthorizationsController: Memoize strategy.authorize_response result to enable subclasses to use the response object.
- [#1075] Call
before_successful_authorization
andafter_successful_authorization
hooks oncreate
action as well asnew
- [#1082] Fix #916: remember routes mapping and use it required places (fix error with customized Token Info route).
- [#1086, #1088] Fix bug with receiving default scopes in the token even if they are not present in the application scopes (use scopes intersection).
- [#1076] Add config to enforce content type to application/x-www-form-urlencoded
- Fix bug with
force_ssl_in_redirect_uri
when it breaks existing applications with an SSL redirect_uri.
- [#1053] Support authorizing with query params in the request
redirect_uri
if explicitly present in app'sApplication#redirect_uri
- Remove
BaseRecord
and introduce additional concern for ordering methods to fix braking changes for Doorkeeper models. - [#1032] Refactor BaseRequest callbacks into configurable lambdas
- [#1040] Clear mixins from ActiveRecord DSL and save only overridable API. It allows to use this mixins in Doorkeeper ORM extensions with minimum code boilerplate.
- [#976] Fix to invalidate the second redirect URI when the first URI is the native URI
- [#1035] Allow
Application#redirect_uri=
to handle array of URIs. - [#1036] Allow to forbid Application redirect URI's with specific rules.
- [#1029] Deprecate
order_method
and introduceordered_by
. Sort applications bycreated_at
in index action. - [#1033] Allow Doorkeeper configuration option #force_ssl_in_redirect_uri to be a callable object.
- Fix Grape integration & add specs for it
- [#913] Deferred ORM (ActiveRecord) models loading
- [#943] Fix Access Token token generation when certain errors occur in custom token generators
- [#1026] Implement RFC7662 - OAuth 2.0 Token Introspection
- [#985] Generate valid migration files for Rails >= 5
- [#972] Replace Struct subclassing with block-form initialization
- [#1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
- [#868]
Scopes#&
andScopes#+
now take an array or any other enumerable object. - [#1019] Remove translation not in use:
invalid_resource_owner
. - Use Ruby 2 hash style syntax (min required Ruby version = 2.1)
- [#948] Make Scopes.<=> work with any "other" value.
- [#974] Redirect URI is checked without query params within AuthorizationCodeRequest.
- [#1004] More explicit help text for
native_redirect_uri
. - [#1023] Update Ruby versions and test against 2.5.0 on Travis CI.
- [#1024] Migrate from FactoryGirl to FactoryBot.
- [#1025] Improve documentation for adding foreign keys
- [#1028] Make it possible to have composite strategy names.
- [#970] Escape certain attributes in authorization forms.
- [#936] Deprecate
Doorkeeper#configured?
,Doorkeeper#database_installed?
, andDoorkeeper#installed?
- [#909] Add
InvalidTokenResponse#reason
reader method to allow read the kind of invalid token error. - [#928] Test against more recent Ruby versions
- Small refactorings within the codebase
- [#921] Switch to Appraisal, and test against Rails master
- [#892] Add minimum Ruby version requirement
- Security fix: Address CVE-2016-6582, implement token revocation according to spec (tokens might not be revoked if client follows the spec).
- [#873] Add hooks to Doorkeeper::ApplicationMetalController
- [#871] Allow downstream users to better utilize doorkeeper spec factories by
eliminating name conflict on
:user
factory.
- [#845] Allow customising the
Doorkeeper::ApplicationController
base controller
- [#834] Fix AssetNotPrecompiled error with Sprockets 4
- [#843] Revert "Fix validation error messages"
- [#847] Specify Null option to timestamps
- [#777] Add support for public client in password grant flow
- [#823] Make configuration and specs ORM independent
- [#745] Add created_at timestamp to token generation options
- [#838] Drop
Application#scopes
generator and warning, introduced for upgrading doorkeeper from v2 to v3. - [#801] Fix Rails 5 warning messages
- Test against Rails 5 RC1
-
[#769] Revoke refresh token on access token use. To make use of the new config add
previous_refresh_token
column tooauth_access_tokens
:rails generate doorkeeper:previous_refresh_token
-
[#811] Toughen parameters filter with exact match
-
[#813] Applications admin bugfix
-
[#799] Fix Ruby Warnings
-
Drop
attr_accessible
from models
- [#730] Force all timezones to use UTC to prevent comparison issues.
- [#802] Remove
config.i18n.fallbacks
from engine
- Fix optional belongs_to for Rails 5
- Fix Ruby warnings
- Drops support for Rails 4.1 and earlier
- Drops support for Ruby 2.0
- [#778] Bug fix: use the remaining time that a token is still valid when building the redirect URI for the implicit grant flow
- [#771] Validation error messages fixes
- Adds foreign key constraints in generated migrations between tokens and grants, and applications
- Support Rails 5
- [#736] Existing valid tokens are now reused in client_credentials flow
- [#749] Allow user to raise authorization error with custom messages.
Under
resource_owner_authenticator
block a user canraise Doorkeeper::Errors::DoorkeeperError.new('custom_message')
- [#762] Check doesn’t abort the actual migration, so it runs
- [#722]
doorkeeper_forbidden_render_options
now supports returning a 404 by specifyingrespond_not_found_when_forbidden: true
in thedoorkeeper_forbidden_render_options
method. - [#734] Simplify and remove duplication in request strategy classes
- [#712] Wrap exchange of grant token for access token and access token refresh in transactions
- [#704] Allow applications scopes to be mass assigned
- [#707] Fixed order of Mixin inclusion and table_name configuration in models
- [#712] Wrap access token and refresh grants in transactions
- Adds JRuby support
- Specs, views and documentation adjustments
- [#693] Updates
en.yml
.
- [#678] Change application-specific scopes to take precedence over server-wide scopes. This removes the previous behavior where the intersection between application and server scopes was used.
- [#671] Fixes
NoMethodError - undefined method 'getlocal'
when calling the /oauth/token path. Switch from using a DateTime object to update AR to using a Time object. (Issue #668) - [#677] Support editing application-specific scopes via the standard forms
- [#682] Pass error hash to Grape
error!
- [#683] Generate application secret/UID if fields are blank strings
- [#648] Extracts mongodb ORMs to https://github.com/doorkeeper-gem/doorkeeper-mongodb. If you use ActiveRecord you don’t need to do any change, otherwise you will need to install the new plugin.
- [#665]
doorkeeper_unauthorized_render_options(error:)
anddoorkeeper_forbidden_render_options(error:)
now accepterror
keyword argument.
- Removes
doorkeeper_for
deprecation notice. - Remove
applications.scopes
upgrade notice.
- [#541] Fixed
undefined method attr_accessible
problem on Rails 4 (happens only when ProtectedAttributes gem is used) in #599
- [#636]
custom_access_token_expires_in
bugfixes - [#641] syntax error fix (Issue #612)
- [#633] Send extra details to Custom Token Generator
- [#628] Refactor: improve orm adapters to ease extension
- [#637] Upgrade to rspec to 3.2
- [#611] Allow custom access token generators to be used
- [#632] Properly fallback to
default_scopes
when no scope is specified - [#622] Clarify that there is a logical OR between scopes for authorizing
- [#635] Upgrade to rspec 3
- [#627] i18n fallbacks to english
- Moved CHANGELOG to NEWS.md
- [#595] HTTP spec: Add
scope
for refresh token scope param - [#596] Limit scopes in app scopes for client credentials
- [#567] Add Grape helpers for easier integration with Grape framework
- [#606] Add custom access token expiration support for Client Credentials flow
- [#588] Fixes scopes_match? bug that skipped authorization form in some cases
- [#574] Remove unused update authorization route.
- [#576] Filter out sensitive parameters from logs.
- [#582] The Authorization HTTP header fields are now case insensitive.
- [#583] Database connection bugfix in certain scenarios.
- Testing improvements
- Remove
wildcard_redirect_url
option - [#481] Customize token flow OAuth expirations with a config lambda
- [#568] TokensController: Memoize strategy.authorize_response result to enable subclasses to use the response object.
- [#571] Fix database initialization issues in some configurations.
- Documentation improvements
- [#540] Include
created_at
in response. - [#538] Check application-level scopes in client_credentials and password flow.
- [5596227] Check application scopes in AccessToken when present. Fixes a bug in doorkeeper 2.0.0 and 2.0.1 referring to application specific scopes.
- [#534] Internationalizes doorkeeper views.
- [#545] Ensure there is a connection to the database before checking for missing columns
- [#546] Use
Doorkeeper::
prefix when referencingApplication
to avoid possible application model name conflict. - [#538] Test with Rails ~> 4.2.
- Enable by default
authorization_code
andclient_credentials
grant flows. Disables implicit and password grant flows by default. - [#510, #544, 722113f] Revoked refresh token response bugfix.
- [#525, #526, #527] Fix
ActiveRecord::NoDatabaseError
on gem load.
-
[#448] Removes
doorkeeper_for
helper. Now we usebefore_action :doorkeeper_authorize!
. -
[#469] Allow client applications to restrict the set of allowable scopes. Fixes #317.
oauth_applications
relation needs a newscopes
string column, non nullable, which defaults to an empty string. To add the column run:rails generate doorkeeper:application_scopes
If you’d rather do it by hand, your ActiveRecord migration should contain:
add_column :oauth_applications, :scopes, :string, null: false, default: ‘’
- Removes
test_redirect_uri
option. It is now callednative_redirect_uri
. - [#446] Removes
mount Doorkeeper::Engine
. Now we useuse_doorkeeper
.
- [#484] Performance improvement - avoid performing order_by when not required.
- [#450] When password is invalid in Password Credentials Grant, Doorkeeper returned 'invalid_resource_owner' instead of 'invalid_grant', as the spec declares. Fixes #444.
- [#452] Allows
revoked_at
to be set in the future, for future expiry. Rationale: doorkeeper-gem#452 (comment) - [#480] For Implicit grant flow, access tokens can now be reused. Fixes #421.
- [#491] Reworks of @jasl's #454 and #478. ORM refactor that allows doorkeeper to be extended more easily with unsupported ORMs. It also marks the boundaries between shared model code and ORM specifics inside of the gem.
- [#496] Tests with Rails 4.2.
- [#489] Adds
force_ssl_in_redirect_uri
to force the usage of the HTTPS protocol in non-native redirect uris. - [#516] SECURITY: Adds
protect_from_forgery
toDoorkeeper::ApplicationController
- [#518] Fix random failures in mongodb.
- [#576] Filter out sensitive parameters from logs
- [#516] SECURITY: Adds
protect_from_forgery
toDoorkeeper::ApplicationController
- internals
- [#427] Adds specs expectations.
- [#428] Error response refactor.
- [#417] Moves token validation into Access Token class.
- [#439] Removes redundant module includes.
- [#443] TokensController and TokenInfoController inherit from ActionController::Metal
- bug
- [#418] fixes #243, requests with insufficient scope now respond 403 instead of 401. (API change)
- [#438] fixes #398, native redirect for implicit token grant bug.
- [#440] namespace fixes
- enhancements
- [#432] Keeps query parameters
- enhancements
- [#405] Adds facade to more easily get the token from a request in a route constraint.
- [#415] Extend Doorkeeper TokenResponse with an
after_successful_response
callback that allows handling ofresponse
object.
- internals
- [#409] Deprecates
test_redirect_uri
in favor ofnative_redirect_uri
. See discussion in: [#351]. - [#411] Clean rspec deprecations. General test improvements.
- [#412] rspec line width can go longer than 80 (hound CI config).
- [#409] Deprecates
- bug
- [#413] fixes #340, routing scope is now taken into account in redirect.
- [#401] and [#425] application is not required any longer for access_token.
- enhancements
- [#387] Adds reuse_access_token configuration option.
- enhancements
- [#376] Allow users to enable basic header authorization for access tokens.
- [#374] Token revocation implementation [RFC 7009]
- [#295] Only enable specific grant flows.
- internals
- [#381] Locale source fix.
- [#380] Renames
errors_for
todoorkeeper_errors_for
. - [#390] Style adjustments in accordance with Ruby Style Guide form Thoughtbot.
- enhancements
- [#336] mongoid4 support.
- [#372] Allow users to set ActiveRecord table_name_prefix/suffix options
- internals
- [#343] separate OAuth's admin and user end-point to different layouts, upgrade theme to Bootstrap 3.1.
- [#348] Move render_options in filter after
@error
has been set
- bug (spec)
- [#228] token response
expires_in
value is now in seconds, relative to request time - [#296] client is optional for password grant type.
- [#319] If client credentials are present on password grant type they are validated
- [#326] If client credentials are present in refresh token they are validated
- [#326] If authenticated client does not match original client that
obtained a refresh token it responds
invalid_grant
instead ofinvalid_client
. Previous usage was invalid according to Section 5.2 of the spec. - [#329] access tokens'
scopes
string wa being compared againstdefault_scopes
symbols, always unauthorizing. - [#318] Include "WWW-Authenticate" header with Unauthorized responses
- [#228] token response
- enhancements
- [#293] Adds ActionController::Instrumentation in TokensController
- [#298] Support for multiple redirect_uris added.
- [#313]
AccessToken.revoke_all_for
actually revokes all non-revoked tokens for an application/owner instead of deleting them. - [#333] Rails 4.1 support
- internals
- Removes jQuery dependency [fixes #300] [PR #312 is related]
- [#294] Client uid and secret will be generated only if not present.
- [#316] Test warnings addressed.
- [#338] Rspec 3 syntax.
- bug
- Symbols instead of strings for user input.
- enhancements
- [#204] Allow to overwrite scope in routes
- internals
- Returns only present keys in Token Response (may imply a backwards incompatible change). doorkeeper-gem#220
- bug
- [#290] Support for Rails 4 when 'protected_attributes' gem is present.
- enhancements
- [#272] Allow issuing multiple access_tokens for one user/application for multiple devices
- [#170] Increase length of allowed redirect URIs
- [#239] Do not try to load unavailable Request class for the current phase.
- [#273] Relax jquery-rails gem dependency
- bug
- [#269] Rails 3.2 raised
ActiveModel::MassAssignmentSecurity::Error
.
- [#269] Rails 3.2 raised
- enhancements
- [#229] Rails 4!
- internals
- [#203] Changing table name to be specific in column_names_with_table
- [#215] README update
- [#227] Use Rails.config.paths["config/routes"] instead of assuming "config/routes.rb" exists
- [#262] Add jquery as gem dependency
- [#263] Add a configuration for ActiveRecord.establish_connection
- Deprecation and Ruby warnings (PRs merged outside of GitHub).
- internals
- [#188] Add IDs to the show views for integration testing @egtann
- enhancements
- [#187] Raise error if configuration is not set
- enhancements
- [#184] Vendor the Bootstrap CSS @tylerhunt
- bug
- [#180] Add localization to authorized_applications destroy notice @aalvarado
- bugfixes
- enhancements
- [#166, #172, #174] Behavior to automatically authorize based on a configured proc
- internals
- [#168] Using expectation syntax for controller specs @rdsoze
- bugfixes
- [#162] Remove ownership columns from base migration template @rdsoze
- bugfixes
- [#160] Removed |routes| argument from initializer authenticator blocks
- documentation
- [#160] Fixed description of context of authenticator blocks
- enhancements
- Mongoid
orm
configuration accepts only :mongoid2 or :mongoid3 - Authorization endpoint does not redirect in #new action anymore. It wasn't specified by OAuth spec
- TokensController now inherits from ActionController::Metal. There might be performance upgrades
- Add link to authorization in Applications scaffold
- [#116] MongoMapper support @carols10cents
- [#122] Mongoid3 support @petergoldstein
- [#150] Introduce test redirect uri for applications
- Mongoid
- bugfixes
- [#157] Response token status should be
:ok
, not:success
@theycallmeswift - [#159] Remove ActionView::Base.field_error_proc override (fixes #145)
- [#157] Response token status should be
- internals
- Update development dependencies
- Several refactorings
- Rails/ORM are easily swichable with env vars (rails and orm)
- Travis now tests against Mongoid v2
Official support for rubinius was removed.
- enhancements
- Configure the way access token is retrieved from request (default to bearer header)
- Authorization Code expiration time is now configurable
- Add support for mongoid
- [#78, #128, #137, #138] Application Ownership
- [#92] Allow users to skip controllers
- [#99] Remove deprecated warnings for data-* attributes @towerhe
- [#101] Return existing access_token for PasswordAccessTokenRequest @benoist
- [#104] Changed access token scopes example code to default_scopes and optional_scopes @amkirwan
- [#107] Fix typos in initializer
- [#123] i18n for validator, flash messages @petergoldstein
- [#140] ActiveRecord is the default value for the ORM @petergoldstein
- internals
- [#112, #120] Replacing update_attribute with update_column to eliminate deprecation warnings @rmoriz, @petergoldstein
- [#121] Updating all development dependencies to recent versions. @petergoldstein
- [#144] Adding MongoDB dependency to .travis.yml @petergoldstein
- [#143] Displays errors for unconfigured error messages @timgaleckas
- bugfixes
- [#102] Not returning 401 when access token generation fails @cslew
- [#125] Doorkeeper is using ActiveRecord version of as_json in ORM agnostic code @petergoldstein
- [#142] Prevent double submission of password based authentication @bdurand
- documentation
- [#141] Add rack-cors middleware to readme @gottfrois
- bugfixes:
- [#94] Uninitialized Constant in Password Flow
- enhancements:
- Backport: Move doorkeeper_for extension to Filter helper
- deprecation
- Deprecate authorization_scopes
- database changes
- AccessToken#resource_owner_id is not nullable
- enhancements
- [#83] Add Resource Owner Password Credentials flow @jaimeiniesta
- [#76] Allow token expiration to be disabled @mattgreen
- [#89] Configure the way client credentials are retrieved from request
- [#b6470a] Add Client Credentials flow
- internals
- [#2ece8d, #f93778] Introduce Client and ErrorResponse classes
- Fix attr_accessible for rails 3.2.x
- [#86] shrink gem package size
- enhancements
- [#54] Ignore Authorization: headers that are not Bearer @miyagawa
- [#58, #64] Add destroy action to applications endpoint @jaimeiniesta, @davidfrey
- [#63] TokensController responds with
401 unauthorized
@jaimeiniesta - [#67, #72] Fix for mass-assignment @cicloid
- internals
- [#49] Add Gemnasium status image to README @laserlemon
- [#50] Fix typos @tomekw
- [#51] Updated the factory_girl_rails dependency, fix expires_in response which returned a float number instead of integer @antekpiechnik
- [#62] Typos, .gitignore @jaimeiniesta
- [#65] Change _path redirections to _url redirections @jaimeiniesta
- [#75] Fix unknown method #authenticate_admin! @mattgreen
- Remove application link in authorized app view
- enhancements
- [#48] Add if, else options to doorkeeper_for
- Add views generator
- internals
- Namespace models
- enhancements
- [#17, #31] Add support for client credentials in basic auth header @GoldsteinTechPartners
- [#28] Add indices to migration @GoldsteinTechPartners
- [#29] Allow doorkeeper to run with rails 3.2 @john-griffin
- [#30] Improve client's redirect uri validation @GoldsteinTechPartners
- [#32] Add token (implicit grant) flow @GoldsteinTechPartners
- [#34] Add support for custom unathorized responses @GoldsteinTechPartners
- [#36] Remove repetitions from the Authorised Applications view @carvil
- When user revoke an application, all tokens for that application are revoked
- Error messages now can be translated
- Install generator copies the error messages localization file
- internals
- Fix deprecation warnings in ActiveSupport::Base64
- Remove deprecation in doorkeeper_for that handles hash arguments
- Depends on railties instead of whole rails framework
- CI now integrates with rails 3.1 and 3.2
- enhancements
- [#4] Add authorized applications endpoint
- [#5, #11] Add access token scopes
- [#10] Add access token expiration by default
- [#9, #12] Add refresh token flow
- internals
- [#7] Improve configuration options with :default
- Improve configuration options with :builder
- Refactor config class
- Improve coverage of authorization request integration
- bug fixes
- [#6, #20] Fix access token response headers
- Fix issue with state parameter
- deprecation
- deprecate :only and :except options in doorkeeper_for
- enhancements
- [#3] Authorization code must be short lived and single use
- [#2] Improve views provided by doorkeeper
- [#1] Skips authorization form if the client has been authorized by the resource owner
- Improve readme
- bugfixes
- Fix issue when creating the access token (wrong client id)
- Authorization Code flow
- OAuth applications endpoint