Releases: doorkeeper-gem/doorkeeper
v5.6.0
v5.6.0.rc1
-
[#1551] Change lazy loading for ORM to be Ruby standard autoload.
-
[#1552] Remove duplicate IDs on Auth form to improve accessibility.
-
[#1542] Improve performance of
Doorkeeper::AccessToken#matching_token_for
using database specific SQL time math.[IMPORTANT]: API of the
Doorkeeper::AccessToken#matching_token_for
method has changed and now it returns
only active access tokens (previously they were just not revoked). Please remember that the idea of the
reuse_access_token
option is to check for existing active token (see configuration option description).
v5.5.4
v5.5.3
v5.5.2
v5.5.1
- [#1496] Revoke
old_refresh_token
ifprevious_refresh_token
is present. - [#1495] Fix
respond_to
undefined in API-only mode - [#1488] Verify client authentication for Resource Owner Password Grant when
config.skip_client_authentication_for_password_grant
is set and the client credentials
are sent in a HTTP Basic auth header.
v5.5.0
v5.5.0.rc2
-
[#1473] Enable
Applications
andAuthorizedApplications
controllers in API mode.[IMPORTANT] you can still skip these controllers using
skip_controllers
in
use_doorkeeper
insideroutes.rb
. Please do it in case you don't need them. -
[#1472] Fix
establish_connection
configuration for custom defined models. -
[#1471] Add support for Ruby 3.0.
-
[#1469] Check if
redirect_uri
exists. -
[#1465] Memoize nil doorkeeper_token.
-
[#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.
-
[#1457] Make owner_id a bigint for newly-generated owner migrations
-
[#1452] Empty previous_refresh_token only if present.
-
[#1440] Validate empty host in redirect_uri.
-
[#1438] Add form post response mode.
-
[#1458] Make
config.skip_client_authentication_for_password_grant
a long term configuration option.
v5.5.0.rc1
-
[#1435] Make error response not redirectable when client is unauthorized
-
[#1426] Ensure ActiveRecord callbacks are executed on token revocation.
-
[#1407] Remove redundant and complex to support helpers froms tests (
should_have_json
, etc). -
[#1416] Don't add introspection route if token introspection completely disabled.
-
[#1410] Properly memoize
current_resource_owner
value (considernil
andfalse
values). -
[#1415] Ignore PKCE params for non-PKCE grants.
-
[#1418] Add ability to register custom OAuth Grant Flows.
-
[#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.
[IMPORTANT] you need to create a new OAuth client (
Doorkeeper::Application
) if yoo didn't
have it before and use client credentials in HTTP Basic auth if you previously used this grant
flow without client authentication. For migration purposes you could enable
skip_client_authentication_for_password_grant
configuration option totrue
, but such behavior
(as well as configuration option) would be completely removed in a future version of Doorkeeper.
All the users of your provider application now need to include client credentials when they use
this grant flow. -
[#1421] Add Resource Owner instance to authorization hook context for
custom_access_token_expires_in
configuration option to allow resource owner based Access Tokens TTL.