With enable_application_owner, issuing a token with grant_type=client_credentials does not associate the token with the owner

[Oromis]

Steps to reproduce

• Uncomment enable_application_owner in the config (I even enabled confirmation: enable_application_owner confirmation: true)
• Enable use_polymorphic_resource_owner in the config
• Generate & run associated migrations (for both application owner and the polymorphic resource owner)
• Create an application which has a resource owner (see the following screenshot from my database):
  
• Make a request to issue an access token using grant_type=client_credentials:
  
• The request succeeds, but the token created by this isn't associated with the application's resource owner (a Company in my case):
  

Expected behavior

If an application is associated with a resource owner, then tokens created from this application should inherit the application's owner as its resource owner. Otherwise, how can one assign a resource owner to an access token when using the client_credentials grant type?

Actual behavior

The access token is not associated with the resource owner, see screenshot above.

Maybe I misunderstood something here, in that case please enlighten me.

System configuration

You can help us to understand your problem if you will share some very
useful information about your project environment (don't forget to
remove any confidential data if it exists).

Doorkeeper initializer:

# config/initializers/doorkeeper.rb
Doorkeeper.configure do
  orm :active_record

  resource_owner_authenticator do
    current_user || warden.authenticate!(scope: :user)
  end

  admin_authenticator do
    if current_user
      head :forbidden unless current_user.admin?
    else
      redirect_to new_user_session_url
    end
  end

  use_polymorphic_resource_owner

  enforce_content_type
  authorization_code_expires_in 10.minutes
  access_token_expires_in 1.hour

  hash_token_secrets
  hash_application_secrets
  hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt'

  use_refresh_token
  enable_application_owner confirmation: true

  default_scopes
  optional_scopes Scopes.all

  enforce_configured_scopes
  client_credentials :from_params, :from_basic
  
  force_ssl_in_redirect_uri !Rails.env.development?
  allow_blank_redirect_uri true
  grant_flows %w[authorization_code client_credentials]
end

Ruby version: 2.7.3p183

Gemfile.lock:

Gemfile.lock content

GIT remote: https://github.com/quorak/active_record-postgres-constraints.git revision: aa91422e869cdde215269214bc54e40f7f6fcd72 branch: support-rails-6.1 specs: active_record-postgres-constraints (0.2.3) pg rails (>= 5.0, <= 8.0)

GIT
remote: https://github.com/quorak/array_enum.git
revision: bca5f44d1805989726a359ef63f7d35f6a5ec289
specs:
array_enum (1.2.0)
activemodel

GIT
remote: https://github.com/quorak/exception_notification.git
revision: fcbb970f96269efe0f34f77c0c5ce2b137bdc085
branch: quorak-patch-module_parent_name
specs:
exception_notification (4.4.0)
actionmailer (>= 4.0, < 7)
activesupport (>= 4.0, < 7)

GIT
remote: https://github.com/quorak/jbuilder_cache_multi.git
revision: b6cf2c7798b195f031fa7eb51dde1e17885d0d2f
specs:
jbuilder_cache_multi (0.1.0)
jbuilder (>= 1.5.0, < 3)

GEM
remote: https://rubygems.org/
specs:
action_policy (0.3.4)
actioncable (6.1.5.1)
actionpack (= 6.1.5.1)
activesupport (= 6.1.5.1)
nio4r (> 2.0)
websocket-driver (>= 0.6.1)
actionmailbox (6.1.5.1)
actionpack (= 6.1.5.1)
activejob (= 6.1.5.1)
activerecord (= 6.1.5.1)
activestorage (= 6.1.5.1)
activesupport (= 6.1.5.1)
mail (>= 2.7.1)
actionmailer (6.1.5.1)
actionpack (= 6.1.5.1)
actionview (= 6.1.5.1)
activejob (= 6.1.5.1)
activesupport (= 6.1.5.1)
mail (> 2.5, >= 2.5.4)
rails-dom-testing (> 2.0)
actionpack (6.1.5.1)
actionview (= 6.1.5.1)
activesupport (= 6.1.5.1)
rack (> 2.0, >= 2.0.9)
rack-test (>= 0.6.3)
rails-dom-testing (> 2.0)
rails-html-sanitizer (> 1.0, >= 1.2.0)
actiontext (6.1.5.1)
actionpack (= 6.1.5.1)
activerecord (= 6.1.5.1)
activestorage (= 6.1.5.1)
activesupport (= 6.1.5.1)
nokogiri (>= 1.8.5)
actionview (6.1.5.1)
activesupport (= 6.1.5.1)
builder (> 3.1)
erubi (> 1.4)
rails-dom-testing (> 2.0)
rails-html-sanitizer (> 1.1, >= 1.2.0)
active_model_validates_intersection_of (3.0.0)
activemodel (>= 5.0.0)
active_storage_validations (0.8.9)
rails (>= 5.2.0)
activejob (6.1.5.1)
activesupport (= 6.1.5.1)
globalid (>= 0.3.6)
activemodel (6.1.5.1)
activesupport (= 6.1.5.1)
activerecord (6.1.5.1)
activemodel (= 6.1.5.1)
activesupport (= 6.1.5.1)
activestorage (6.1.5.1)
actionpack (= 6.1.5.1)
activejob (= 6.1.5.1)
activerecord (= 6.1.5.1)
activesupport (= 6.1.5.1)
marcel (> 1.0)
mini_mime (>= 1.1.0)
activestorage-openstack (1.5.1)
fog-openstack (> 1.0)
marcel
rails (>= 5.2.2)
activesupport (6.1.5.1)
concurrent-ruby (> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
tzinfo (> 2.0)
zeitwerk (> 2.3)
addressable (2.8.0)
public_suffix (>= 2.0.2, < 5.0)
ahoy_matey (3.2.0)
activesupport (>= 5)
device_detector
geocoder (>= 1.4.5)
safely_block (>= 0.2.1)
annotate (3.1.1)
activerecord (>= 3.2, < 7.0)
rake (>= 10.4, < 14.0)
ansi (1.5.0)
api-pagination (5.0.0)
ast (2.4.2)
azure-storage-blob (2.0.3)
azure-storage-common (> 2.0)
nokogiri (> 1, >= 1.10.8)
azure-storage-common (2.0.4)
faraday (> 1.0)
faraday_middleware (> 1.0, >= 1.0.0.rc1)
net-http-persistent (> 4.0)
nokogiri (> 1, >= 1.10.8)
babel-source (5.8.35)
babel-transpiler (0.7.0)
babel-source (>= 4.0, < 6)
execjs (> 2.0)
bcrypt (3.1.17)
better_html (1.0.16)
actionview (>= 4.0)
activesupport (>= 4.0)
ast (> 2.0)
erubi (> 1.4)
html_tokenizer (> 0.0.6)
parser (>= 2.4)
smart_properties
bindex (0.8.1)
biz (1.8.2)
clavius (> 1.0)
tzinfo
bootsnap (1.11.1)
msgpack (> 1.2)
brakeman (4.10.1)
builder (3.2.4)
bullet (7.0.1)
activesupport (>= 3.0.0)
uniform_notifier (> 1.11)
bundler-audit (0.9.0.1)
bundler (>= 1.2.0, < 3)
thor (> 1.0)
byebug (11.1.3)
cairo (1.17.5)
native-package-installer (>= 1.0.3)
pkg-config (>= 1.2.2)
red-colors
cairo-gobject (3.4.4)
cairo (>= 1.16.2)
glib2 (= 3.4.4)
capybara (3.36.0)
addressable
matrix
mini_mime (>= 0.1.3)
nokogiri (> 1.8)
rack (>= 1.6.0)
rack-test (>= 0.6.3)
regexp_parser (>= 1.5, < 3.0)
xpath (> 3.2)
chewy (7.2.5)
activesupport (>= 5.2)
elasticsearch (>= 7.12.0, < 7.14.0)
elasticsearch-dsl
childprocess (4.1.0)
chunky_png (1.4.0)
circuitbox (1.1.1)
activesupport
moneta
city-state (0.0.13)
rubyzip (> 1.1)
clavius (1.0.4)
coderay (1.1.3)
concurrent-ruby (1.1.10)
connection_pool (2.2.5)
countries (3.1.0)
i18n_data (> 0.11.0)
sixarm_ruby_unaccent (> 1.1)
unicode_utils (> 1.4)
country_select (4.0.0)
countries (> 3.0)
sort_alphabetical (> 1.0)
crass (1.0.6)
declarative (0.0.20)
deepl-rb (2.5.1)
device_detector (1.0.5)
devise (4.8.1)
bcrypt (> 3.0)
orm_adapter (> 0.1)
railties (>= 4.1.0)
responders
warden (> 1.2.3)
devise-jwt (0.9.0)
devise (> 4.0)
warden-jwt_auth (> 0.6)
devise_invitable (2.0.5)
actionmailer (>= 5.0)
devise (>= 4.6)
digest-crc (0.6.3)
rake (>= 12.0.0, < 14.0.0)
discard (1.2.0)
activerecord (>= 4.2, < 7)
docile (1.4.0)
domain_name (0.5.20190701)
unf (>= 0.0.5, < 1.0.0)
doorkeeper (5.5.4)
railties (>= 5)
dotenv (2.7.6)
dotenv-rails (2.7.6)
dotenv (= 2.7.6)
railties (>= 3.2)
dry-auto_inject (0.9.0)
dry-container (>= 0.3.4)
dry-configurable (0.15.0)
concurrent-ruby (> 1.0)
dry-core (> 0.6)
dry-container (0.9.0)
concurrent-ruby (> 1.0)
dry-configurable (> 0.13, >= 0.13.0)
dry-core (0.7.1)
concurrent-ruby (> 1.0)
dry-inflector (0.2.1)
dry-initializer (3.1.1)
dry-logic (1.2.0)
concurrent-ruby (> 1.0)
dry-core (> 0.5, >= 0.5)
dry-schema (1.9.1)
concurrent-ruby (> 1.0)
dry-configurable (> 0.13, >= 0.13.0)
dry-core (> 0.5, >= 0.5)
dry-initializer (> 3.0)
dry-logic (> 1.0)
dry-types (> 1.5)
dry-types (1.5.1)
concurrent-ruby (> 1.0)
dry-container (> 0.3)
dry-core (> 0.5, >= 0.5)
dry-inflector (> 0.1, >= 0.1.2)
dry-logic (> 1.0, >= 1.0.2)
dry-validation (1.8.0)
concurrent-ruby (> 1.0)
dry-container (> 0.7, >= 0.7.1)
dry-core (> 0.5, >= 0.5)
dry-initializer (> 3.0)
dry-schema (> 1.9, >= 1.9.1)
elastic-apm (4.1.0)
concurrent-ruby (> 1.0)
http (>= 3.0)
elasticsearch (7.13.3)
elasticsearch-api (= 7.13.3)
elasticsearch-transport (= 7.13.3)
elasticsearch-api (7.13.3)
multi_json
elasticsearch-dsl (0.1.10)
elasticsearch-transport (7.13.3)
faraday (> 1)
multi_json
errbase (0.2.1)
erubi (1.10.0)
et-orbi (1.2.7)
tzinfo
ethon (0.14.0)
ffi (>= 1.15.0)
excon (0.83.0)
execjs (2.8.1)
factory_bot (5.2.0)
activesupport (>= 4.2.0)
factory_bot_rails (5.2.0)
factory_bot (> 5.2.0)
railties (>= 4.2.0)
faker (2.18.0)
i18n (>= 1.6, < 2)
faraday (1.10.0)
faraday-em_http (> 1.0)
faraday-em_synchrony (> 1.0)
faraday-excon (> 1.1)
faraday-httpclient (> 1.0)
faraday-multipart (> 1.0)
faraday-net_http (> 1.0)
faraday-net_http_persistent (> 1.0)
faraday-patron (> 1.0)
faraday-rack (> 1.0)
faraday-retry (> 1.0)
ruby2_keywords (>= 0.0.4)
faraday-em_http (1.0.0)
faraday-em_synchrony (1.0.0)
faraday-excon (1.1.0)
faraday-httpclient (1.0.1)
faraday-multipart (1.0.3)
multipart-post (>= 1.2, < 3)
faraday-net_http (1.0.1)
faraday-net_http_persistent (1.2.0)
faraday-patron (1.0.0)
faraday-rack (1.0.0)
faraday-retry (1.0.3)
faraday_middleware (1.2.0)
faraday (> 1.0)
ffi (1.15.5)
ffi-compiler (1.0.1)
ffi (>= 1.0.0)
rake
fog-core (2.2.4)
builder
excon (> 0.71)
formatador (> 0.2)
mime-types
fog-json (1.2.0)
fog-core
multi_json (> 1.10)
fog-openstack (1.0.11)
fog-core (> 2.1)
fog-json (>= 1.0)
ipaddress (>= 0.8)
formatador (0.3.0)
fugit (1.5.3)
et-orbi (> 1, >= 1.2.7)
raabro (> 1.4)
geocoder (1.6.7)
gio2 (3.4.4)
gobject-introspection (= 3.4.4)
glib2 (3.4.4)
native-package-installer (>= 1.0.3)
pkg-config (>= 1.3.5)
globalid (1.0.0)
activesupport (>= 5.0)
gobject-introspection (3.4.4)
glib2 (= 3.4.4)
google-apis-core (0.4.0)
addressable (> 2.5, >= 2.5.1)
googleauth (>= 0.16.2, < 2.a)
httpclient (>= 2.8.1, < 3.a)
mini_mime (> 1.0)
representable (> 3.0)
retriable (>= 2.0, < 4.a)
rexml
webrick
google-apis-iamcredentials_v1 (0.5.0)
google-apis-core (>= 0.3, < 2.a)
google-apis-storage_v1 (0.5.0)
google-apis-core (>= 0.3, < 2.a)
google-cloud-core (1.6.0)
google-cloud-env (> 1.0)
google-cloud-errors (> 1.0)
google-cloud-env (1.5.0)
faraday (>= 0.17.3, < 2.0)
google-cloud-errors (1.1.0)
google-cloud-storage (1.32.0)
addressable (> 2.5)
digest-crc (> 0.4)
google-apis-iamcredentials_v1 (> 0.1)
google-apis-storage_v1 (> 0.1)
google-cloud-core (> 1.6)
googleauth (>= 0.16.2, < 2.a)
mini_mime (> 1.0)
googleauth (0.16.2)
faraday (>= 0.17.3, < 2.0)
jwt (>= 1.4, < 3.0)
memoist (> 0.16)
multi_json (> 1.11)
os (>= 0.9, < 2.0)
signet (> 0.14)
has_scope (0.8.0)
actionpack (>= 5.2)
activesupport (>= 5.2)
hashie (5.0.0)
health_bit (0.1.8)
rack
highline (2.0.3)
holidays (8.4.1)
html_tokenizer (0.0.7)
http (5.0.1)
addressable (> 2.3)
http-cookie (> 1.0)
http-form_data (> 2.2)
llhttp-ffi (> 0.3.0)
http-cookie (1.0.4)
domain_name (> 0.5)
http-form_data (2.3.0)
http_accept_language (2.1.1)
httparty (0.18.1)
mime-types (> 3.0)
multi_xml (>= 0.5.2)
httpclient (2.8.3)
i18n (1.11.0)
concurrent-ruby (> 1.0)
i18n-js (3.8.3)
i18n (>= 0.6.6)
i18n-tasks (1.0.11)
activesupport (>= 4.0.2)
ast (>= 2.1.0)
better_html (> 1.0)
erubi
highline (>= 2.0.0)
i18n
parser (>= 2.2.3.0)
rails-i18n
rainbow (>= 2.2.2, < 4.0)
terminal-table (>= 1.5.1)
i18n_data (0.11.0)
ice_cube (0.16.3)
image_processing (1.12.2)
mini_magick (>= 4.9.5, < 5)
ruby-vips (>= 2.0.17, < 3)
inherited_resources (1.13.0)
actionpack (>= 5.2, < 6.2)
has_scope (> 0.6)
railties (>= 5.2, < 6.2)
responders (>= 2, < 4)
ipaddress (0.8.3)
jbuilder (2.11.2)
activesupport (>= 5.0.0)
js-routes (1.4.14)
railties (>= 4)
jwt (2.3.0)
kaminari (1.2.1)
activesupport (>= 4.1.0)
kaminari-actionview (= 1.2.1)
kaminari-activerecord (= 1.2.1)
kaminari-core (= 1.2.1)
kaminari-actionview (1.2.1)
actionview
kaminari-core (= 1.2.1)
kaminari-activerecord (1.2.1)
activerecord
kaminari-core (= 1.2.1)
kaminari-core (1.2.1)
launchy (2.5.0)
addressable (> 2.7)
letter_opener (1.7.0)
launchy (> 2.2)
letter_opener_web (1.4.0)
actionmailer (>= 3.2)
letter_opener (> 1.0)
railties (>= 3.2)
listen (3.1.5)
rb-fsevent (> 0.9, >= 0.9.4)
rb-inotify (> 0.9, >= 0.9.7)
ruby_dep (> 1.2)
llhttp-ffi (0.3.1)
ffi-compiler (> 1.0)
rake (> 13.0)
lograge (0.11.2)
actionpack (>= 4)
activesupport (>= 4)
railties (>= 4)
request_store (> 1.0)
logstash-event (1.2.02)
logstash-logger (0.26.1)
logstash-event (> 1.2)
loofah (2.18.0)
crass (> 1.0.2)
nokogiri (>= 1.5.9)
mail (2.7.1)
mini_mime (>= 0.1.1)
marcel (1.0.2)
matrix (0.4.2)
memoist (0.16.2)
method_source (1.0.0)
mime-types (3.3.1)
mime-types-data (> 3.2015)
mime-types-data (3.2021.0225)
mini_magick (4.11.0)
mini_mime (1.1.2)
mini_portile2 (2.8.0)
minitest (5.15.0)
minitest-reporters (1.4.3)
ansi
builder
minitest (>= 5.0)
ruby-progressbar
minitest-retry (0.2.2)
minitest (>= 5.0)
minitest-stub_any_instance (1.0.2)
moneta (1.4.2)
mry (0.78.0.0)
rubocop (>= 0.41.0)
msgpack (1.5.1)
multi_json (1.15.0)
multi_xml (0.6.0)
multipart-post (2.1.1)
native-package-installer (1.1.1)
net-http-persistent (4.0.1)
connection_pool (> 2.2)
nio4r (2.5.8)
nokogiri (1.13.6)
mini_portile2 (> 2.8.0)
racc (> 1.4)
oauth2 (1.4.7)
faraday (>= 0.8, < 2.0)
jwt (>= 1.0, < 3.0)
multi_json (> 1.3)
multi_xml (> 0.5)
rack (>= 1.2, < 3)
oj (3.12.0)
olive_branch (4.0.0)
multi_json
rails (>= 4.0)
omniauth (1.9.1)
hashie (>= 3.4.6)
rack (>= 1.6.2, < 3)
omniauth-azure-oauth2 (0.0.10)
jwt (>= 1.0, < 3.0)
omniauth (> 1.0)
omniauth-oauth2 (> 1.4)
omniauth-linkedin-oauth2 (1.0.0)
omniauth-oauth2
omniauth-oauth2 (1.7.1)
oauth2 (> 1.4)
omniauth (>= 1.9, < 3)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
operator_recordable (1.0.0)
activerecord (>= 5.0)
orm_adapter (0.5.0)
os (1.1.1)
paper_trail (11.1.0)
activerecord (>= 5.2)
request_store (> 1.1)
parallel (1.20.1)
parser (3.0.1.1)
ast (> 2.4.1)
pg (1.2.3)
pg_search (2.3.5)
activerecord (>= 5.2)
activesupport (>= 5.2)
pkg-config (1.4.6)
poppler (3.4.4)
cairo-gobject (= 3.4.4)
gio2 (= 3.4.4)
posthog-ruby (1.2.0)
pretender (0.4.0)
actionpack (>= 5.2)
pry (0.14.1)
coderay (> 1.1)
method_source (> 1.0)
public_suffix (4.0.7)
puma (5.6.4)
nio4r (> 2.0)
pundit (2.1.0)
activesupport (>= 3.0.0)
raabro (1.4.0)
racc (1.6.0)
rack (2.2.4)
rack-proxy (0.7.0)
rack
rack-test (2.0.2)
rack (>= 1.3)
rails (6.1.5.1)
actioncable (= 6.1.5.1)
actionmailbox (= 6.1.5.1)
actionmailer (= 6.1.5.1)
actionpack (= 6.1.5.1)
actiontext (= 6.1.5.1)
actionview (= 6.1.5.1)
activejob (= 6.1.5.1)
activemodel (= 6.1.5.1)
activerecord (= 6.1.5.1)
activestorage (= 6.1.5.1)
activesupport (= 6.1.5.1)
bundler (>= 1.15.0)
railties (= 6.1.5.1)
sprockets-rails (>= 2.0.0)
rails-dom-testing (2.0.3)
activesupport (>= 4.2.0)
nokogiri (>= 1.6)
rails-html-sanitizer (1.4.3)
loofah (> 2.3)
rails-i18n (6.0.0)
i18n (>= 0.7, < 2)
railties (>= 6.0.0, < 7)
railties (6.1.5.1)
actionpack (= 6.1.5.1)
activesupport (= 6.1.5.1)
method_source
rake (>= 12.2)
thor (> 1.0)
rainbow (3.0.0)
rake (13.0.6)
rb-fsevent (0.11.0)
rb-inotify (0.10.1)
ffi (> 1.0)
react-rails (2.6.2)
babel-transpiler (>= 0.7.0)
connection_pool
execjs
railties (>= 3.2)
tilt
red-colors (0.3.0)
matrix
redis (4.6.0)
redis-namespace (1.8.1)
redis (>= 3.0.4)
regexp_parser (2.3.0)
representable (3.1.1)
declarative (< 0.1.0)
trailblazer-option (>= 0.1.1, < 0.2.0)
uber (< 0.2.0)
request_store (1.5.0)
rack (>= 1.4)
request_store-sidekiq (0.1.0)
request_store (>= 1.3)
sidekiq (>= 3.0)
responders (3.0.1)
actionpack (>= 5.0)
railties (>= 5.0)
retriable (3.1.2)
rexml (3.2.5)
rqrcode (1.2.0)
chunky_png (> 1.0)
rqrcode_core (> 0.2)
rqrcode_core (0.2.0)
rubocop (0.91.1)
parallel (> 1.10)
parser (>= 2.7.1.1)
rainbow (>= 2.2.2, < 4.0)
regexp_parser (>= 1.7)
rexml
rubocop-ast (>= 0.4.0, < 1.0)
ruby-progressbar (> 1.7)
unicode-display_width (>= 1.4.0, < 2.0)
rubocop-ast (0.8.0)
parser (>= 2.7.1.5)
rubocop-minitest (0.13.0)
rubocop (>= 0.90, < 2.0)
rubocop-performance (1.10.2)
rubocop (>= 0.90.0, < 2.0)
rubocop-ast (>= 0.4.0)
rubocop-rails (2.9.1)
activesupport (>= 4.2.0)
rack (>= 1.1)
rubocop (>= 0.90.0, < 2.0)
rubocop-thread_safety (0.4.2)
rubocop (>= 0.53.0)
ruby-graphviz (1.2.5)
rexml
ruby-progressbar (1.11.0)
ruby-vips (2.1.4)
ffi (> 1.12)
ruby2_keywords (0.0.5)
ruby_dep (1.5.0)
rubyzip (1.3.0)
safely_block (0.3.0)
errbase (>= 0.1.1)
sass (3.7.4)
sass-listen (> 4.0.0)
sass-listen (4.0.0)
rb-fsevent (> 0.9, >= 0.9.4)
rb-inotify (> 0.9, >= 0.9.7)
sass-rails (5.1.0)
railties (>= 5.2.0)
sass (> 3.1)
sprockets (>= 2.8, < 4.0)
sprockets-rails (>= 2.0, < 4.0)
tilt (>= 1.1, < 3)
selenium-webdriver (4.1.0)
childprocess (>= 0.5, < 5.0)
rexml (> 3.2, >= 3.2.5)
rubyzip (>= 1.2.2)
semantic_range (3.0.0)
sentry-rails (4.5.2)
railties (>= 5.0)
sentry-ruby-core (> 4.5.0)
sentry-ruby (4.5.2)
concurrent-ruby (> 1.0, >= 1.0.2)
faraday (>= 1.0)
sentry-ruby-core (= 4.5.2)
sentry-ruby-core (4.5.2)
concurrent-ruby
faraday
sentry-sidekiq (4.5.2)
sentry-ruby-core (> 4.5.0)
sidekiq (6.4.2)
connection_pool (>= 2.2.2)
rack (> 2.0)
redis (>= 4.2.0)
sidekiq-cron (1.3.0)
fugit (>= 1.1)
sidekiq (>= 4.2.1)
sidekiq_alive (2.1.5)
sidekiq
webrick
signet (0.15.0)
addressable (> 2.3)
faraday (>= 0.17.3, < 2.0)
jwt (>= 1.5, < 3.0)
multi_json (> 1.10)
simple_form (5.1.0)
actionpack (>= 5.2)
activemodel (>= 5.2)
simplecov (0.21.2)
docile (> 1.1)
simplecov-html (> 0.11)
simplecov_json_formatter (> 0.1)
simplecov-cobertura (2.1.0)
rexml
simplecov (> 0.19)
simplecov-html (0.12.3)
simplecov_json_formatter (0.1.4)
sixarm_ruby_unaccent (1.2.0)
slack-notifier (2.4.0)
smart_properties (1.17.0)
sort_alphabetical (1.1.0)
unicode_utils (>= 1.2.2)
spring (2.1.1)
spring-watcher-listen (2.0.1)
listen (>= 2.7, < 4.0)
spring (>= 1.2, < 3.0)
sprockets (3.7.2)
concurrent-ruby (> 1.0)
rack (> 1, < 3)
sprockets-rails (3.4.2)
actionpack (>= 5.2)
activesupport (>= 5.2)
sprockets (>= 3.0.0)
state_machines (0.5.0)
state_machines-activemodel (0.8.0)
activemodel (>= 5.1)
state_machines (>= 0.5.0)
state_machines-activerecord (0.8.0)
activerecord (>= 5.1)
state_machines-activemodel (>= 0.8.0)
state_machines-graphviz (0.0.2)
ruby-graphviz
state_machines
terminal-table (3.0.2)
unicode-display_width (>= 1.1.1, < 3)
thor (1.2.1)
tilt (2.0.10)
trailblazer-option (0.1.1)
ts_routes (1.0.3)
railties (>= 4.0)
turbolinks (5.2.1)
turbolinks-source (> 5.2)
turbolinks-source (5.2.0)
typhoeus (1.4.0)
ethon (>= 0.9.0)
tzinfo (2.0.4)
concurrent-ruby (> 1.0)
tzinfo-data (1.2021.1)
tzinfo (>= 1.0.0)
uber (0.1.0)
unf (0.1.4)
unf_ext
unf_ext (0.0.7.7)
unicode-display_width (1.7.0)
unicode_utils (1.4.0)
uniform_notifier (1.16.0)
warden (1.2.9)
rack (>= 2.0.9)
warden-jwt_auth (0.6.0)
dry-auto_inject (> 0.8)
dry-configurable (> 0.13)
jwt (> 2.1)
warden (> 1.2)
web-console (4.1.0)
actionview (>= 6.0.0)
activemodel (>= 6.0.0)
bindex (>= 0.4.0)
railties (>= 6.0.0)
webdrivers (5.0.0)
nokogiri (> 1.6)
rubyzip (>= 1.3.0)
selenium-webdriver (> 4.0)
webpacker (5.4.0)
activesupport (>= 5.2)
rack-proxy (>= 0.6.1)
railties (>= 5.2)
semantic_range (>= 2.3.0)
webrick (1.7.0)
websocket-driver (0.7.5)
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.5)
with_advisory_lock (4.6.0)
activerecord (>= 4.2)
xpath (3.2.0)
nokogiri (> 1.8)
zeitwerk (2.6.0)

PLATFORMS
ruby

DEPENDENCIES
action_policy (> 0.3.2)
active_model_validates_intersection_of
active_record-postgres-constraints!
active_storage_validations (> 0.8.5)
activestorage-openstack (> 1.4)
ahoy_matey (> 3.0)
annotate
api-pagination (> 5.0)
array_enum!
azure-storage-blob (> 2.0)
biz
bootsnap (>= 1.4.2)
brakeman (> 4.10.0)
bullet
bundler-audit
byebug
capybara (>= 2.15)
chewy (> 7.2)
circuitbox (> 1.1)
city-state (= 0.0.13)
country_select (> 4.0)
deepl-rb
devise (> 4.7)
devise-jwt
devise_invitable (> 2.0)
discard (> 1.2)
doorkeeper (> 5.5)
dotenv-rails
dry-validation (> 1.5)
elastic-apm
exception_notification!
factory_bot_rails (> 5.2.0)
faker
google-cloud-storage (> 1.11)
has_scope
health_bit
holidays
http_accept_language (> 2.1)
httparty
i18n-js
i18n-tasks (> 1.0)
ice_cube (> 0.16.3)
image_processing (> 1.9)
inherited_resources (> 1.11)
jbuilder (> 2.7)
jbuilder_cache_multi!
js-routes (> 1.4.14)
kaminari
letter_opener_web
listen (>= 3.0.5, < 3.2)
lograge
logstash-event
logstash-logger
minitest (= 5.15.0)
minitest-reporters
minitest-retry
minitest-stub_any_instance
mry
multi_json (> 1.11)
oj
olive_branch
omniauth (> 1.9)
omniauth-azure-oauth2 (> 0.0.10)
omniauth-linkedin-oauth2
omniauth-rails_csrf_protection (> 0.1)
operator_recordable
paper_trail (> 11.1)
pg
pg_search
poppler (> 3.4)
posthog-ruby
pretender (> 0.4.0)
pry
puma (>= 5.6.4)
pundit (> 2.1)
rails (> 6.1)
rails-i18n (> 6.0)
react-rails (> 2.6)
redis (> 4.1)
redis-namespace (> 1.8)
request_store (> 1.5)
request_store-sidekiq (> 0.1.0)
responders (> 3.0)
rqrcode (> 1.1)
rubocop (> 0.91.1)
rubocop-minitest
rubocop-performance
rubocop-rails
rubocop-thread_safety
sass-rails (> 5)
sentry-rails
sentry-ruby
sentry-sidekiq
sidekiq (> 6.4)
sidekiq-cron (> 1.1)
sidekiq_alive (> 2.0)
simple_form
simplecov-cobertura
slack-notifier
spring
spring-watcher-listen (> 2.0.0)
state_machines-activerecord (> 0.8.0)
state_machines-graphviz
ts_routes (> 1.0)
turbolinks (> 5)
typhoeus
tzinfo-data
web-console (>= 3.3.0)
webdrivers
webpacker (> 5.0)
with_advisory_lock (> 4.6)

RUBY VERSION
ruby 2.7.3p183

BUNDLED WITH
2.2.32

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[gottfrois]

I was wondering the exact same thing here as per the oauth.com website mention:

The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user.

[Ksm125]

This issue is coming from OAuth::ClientCredentials::Creator#call where we have

Doorkeeper.config.access_token_model.create_for(
              application: application,
              resource_owner: nil,
              scopes: scopes,
              **attributes,
            )

we should have something like

Doorkeeper.config.access_token_model.create_for(
              application: application,
              resource_owner: Doorkeeper.config.enable_application_owner? ? application&.owner : nil,
              scopes: scopes,
              **attributes,
            )

[ThisIsMissEm]

I was wondering the exact same thing here as per the oauth.com website mention:

The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user.

This quote is correct: Access Tokens that are Client Credentials access resources on behalf of the client, and not a user. That is, even if the Application belongs to a user, the client credential only belongs to the application, not to the owner of that application.

[fredplante]

I stumbled upon this today, and it looks like a bug to me:

What's the point of having an application owner if that's not for allowing to associate the application owner as a token resource owner when using client credentials?

I agree the spec outlines that client credentials are used to access their own resources, but it doesn't mean much. OAuth applications do not have resources per-se. They typically belongs to someone/something (the owner), and the owner is the real resource owner.

Typical usage is a website where a user can create an oauth application to access their data using client_credential flow, in a server to server scenario.

If an api uses both authorization_code & client_credentials grant flows, you have to use this:

class Api::TransactionsController < Api::BaseController
  def index
    @transactions = resource_owner.transactions
  end

  private

  def resource_owner
    if doorkeeper_token.resource_owner.present?
      doorkeeper_token.resource_owner # token created using authorization_code
    else
      doorkeeper_token.application.owner # token created using client_credentials
    end
  end
end

Maybe I'm missing something, happy to discuss

[ThisIsMissEm]

The specifications for OAuth 2.0 are extremely clear here: client credentials act on behalf of the application, not the user.

Unless you have resources that should only be access by the application, e.g., to manipulate the application registration, then you probably don't need the client_credentials grant type.

The fact that an application may be owned by a user account doesn't mean the application should be granted full access to the creator's account through usage of client_credentials, and in fact, that'd be a major security issue potentially.

[fredplante]

@ThisIsMissEm Thank you for your answer, I'm ready to change my mind about this 🙂 Can you explain a bit what would be the security issue here, in the context of the example i gave: A user create an oauth app, owned only by them. App would be used only for server to server communications.

And what would you recommend as an alternative? Access tokens used, similar to github personal tokens?

[ThisIsMissEm]

Yes, you'd want to use access tokens for that purpose, if you really need to use OAuth at all for it.

e.g., you don't have to wait until a 2-legged oauth flow to issue access tokens (or authorization grants)

But client_credentials have a very specific purpose which is to access resources on behalf of the application, not the user.