diff --git a/lib/generators/doorkeeper/templates/migration.rb.erb b/lib/generators/doorkeeper/templates/migration.rb.erb
index b757b591e..63406e20b 100644
--- a/lib/generators/doorkeeper/templates/migration.rb.erb
+++ b/lib/generators/doorkeeper/templates/migration.rb.erb
@@ -1,9 +1,9 @@
 class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_applications do |t|
-      t.string  :name,         null: false
-      t.string  :uid,          null: false
-      t.string  :secret,       null: false
+      t.string  :name,    null: false
+      t.string  :uid,     null: false
+      t.string  :secret,  null: false
 
       # Remove `null: false` if you are planning to use grant flows
       # that doesn't require redirect URI to be used during authorization
@@ -36,20 +36,20 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
 
     create_table :oauth_access_tokens do |t|
       t.references :resource_owner, index: true
-      t.references :application
+      t.references :application,    null: false
 
       # If you use a custom token generator you may need to change this column
       # from string to text, so that it accepts tokens larger than 255
       # characters. More info on custom token generators in:
       # https://github.com/doorkeeper-gem/doorkeeper/tree/v3.0.0.rc1#custom-access-token-generator
       #
-      # t.text     :token,             null: false
-      t.string   :token,                  null: false
+      # t.text :token, null: false
+      t.string :token, null: false
 
       t.string   :refresh_token
       t.integer  :expires_in
       t.datetime :revoked_at
-      t.datetime :created_at,             null: false
+      t.datetime :created_at, null: false
       t.string   :scopes
 
       # If there is a previous_refresh_token column,
@@ -68,5 +68,9 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
       :oauth_applications,
       column: :application_id
     )
+
+    # Uncomment below to ensure a valid reference to the resource owner's table
+    # add_foreign_key :oauth_access_grants, <model>, column: :resource_owner_id
+    # add_foreign_key :oauth_access_tokens, <model>, column: :resource_owner_id
   end
 end
diff --git a/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb b/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb
index adf011d77..5f89310a6 100644
--- a/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb
+++ b/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb
@@ -3,9 +3,13 @@
 class CreateDoorkeeperTables < ActiveRecord::Migration[4.2]
   def change
     create_table :oauth_applications do |t|
-      t.string  :name,         null: false
-      t.string  :uid,          null: false
-      t.string  :secret,       null: false
+      t.string  :name,    null: false
+      t.string  :uid,     null: false
+      t.string  :secret,  null: false
+
+      # Remove `null: false` if you are planning to use grant flows
+      # that doesn't require redirect URI to be used during authorization
+      # like Client Credentials flow or Resource Owner Password.
       t.text    :redirect_uri, null: false
       t.string  :scopes,       null: false, default: ""
       t.timestamps             null: false
@@ -14,7 +18,7 @@ def change
     add_index :oauth_applications, :uid, unique: true
 
     create_table :oauth_access_grants do |t|
-      t.integer  :resource_owner_id, null: false
+      t.references :resource_owner,  null: false
       t.references :application,     null: false
       t.string   :token,             null: false
       t.integer  :expires_in,        null: false
@@ -32,16 +36,16 @@ def change
     )
 
     create_table :oauth_access_tokens do |t|
-      t.integer  :resource_owner_id
-      t.references :application
+      t.references :resource_owner, index: true
+      t.references :application,    null: false
 
       # If you use a custom token generator you may need to change this column
       # from string to text, so that it accepts tokens larger than 255
       # characters. More info on custom token generators in:
       # https://github.com/doorkeeper-gem/doorkeeper/tree/v3.0.0.rc1#custom-access-token-generator
       #
-      # t.text     :token,             null: false
-      t.string   :token, null: false
+      # t.text :token, null: false
+      t.string :token, null: false
 
       t.string   :refresh_token
       t.integer  :expires_in
@@ -51,12 +55,15 @@ def change
     end
 
     add_index :oauth_access_tokens, :token, unique: true
-    add_index :oauth_access_tokens, :resource_owner_id
     add_index :oauth_access_tokens, :refresh_token, unique: true
     add_foreign_key(
       :oauth_access_tokens,
       :oauth_applications,
       column: :application_id
     )
+
+    # Uncomment below to ensure a valid reference to the resource owner's table
+    add_foreign_key :oauth_access_grants, :users, column: :resource_owner_id
+    add_foreign_key :oauth_access_tokens, :users, column: :resource_owner_id
   end
 end