v5.6.0

• [#1581] Consider token_type_hint when searching for access token in TokensController to avoid extra database calls.

v5.6.0.rc1

• [#1551] Change lazy loading for ORM to be Ruby standard autoload.

• [#1552] Remove duplicate IDs on Auth form to improve accessibility.

• [#1542] Improve performance of Doorkeeper::AccessToken#matching_token_for using database specific SQL time math.

  [IMPORTANT]: API of the Doorkeeper::AccessToken#matching_token_for method has changed and now it returns
  only active access tokens (previously they were just not revoked). Please remember that the idea of the
  reuse_access_token option is to check for existing active token (see configuration option description).

v5.5.4

• [#1535] Revert changes introduced in #1528 to allow query params in redirect_uri as per the spec.

v5.5.3

• [#1528] Don't allow extra query params in redirect_uri.
• [#1525] I18n source for forbidden token error is now doorkeeper.errors.messages.forbidden_token.missing_scope.
• [#1531] Disable strict-loading for Doorkeeper models by default.
• [#1532] Add support for Rails 7.

v5.5.2

• [#1502] Drop support for Ruby 2.4 because of EOL.
• [#1504] Updated the url fragment in the comment for code documentation.
• [#1512] Fix form behavior when response mode is form_post.
• [#1511] Fix that authorization code is returned by fragment if response_mode is fragament.

v5.5.1

• [#1496] Revoke old_refresh_token if previous_refresh_token is present.
• [#1495] Fix respond_to undefined in API-only mode
• [#1488] Verify client authentication for Resource Owner Password Grant when
  config.skip_client_authentication_for_password_grant is set and the client credentials
  are sent in a HTTP Basic auth header.

v5.5.0

• [#1482] Simplify TokenInfoController to be overridable (extract response rendering).
• [#1478] Fix ownership association and Rake tasks when custom models configured.
• [#1477] Respect ActiveRecord::Base.pluralize_table_names for Doorkeeper table names.

v5.5.0.rc2

• [#1473] Enable Applications and AuthorizedApplications controllers in API mode.

  [IMPORTANT] you can still skip these controllers using skip_controllers in
  use_doorkeeper inside routes.rb. Please do it in case you don't need them.

• [#1472] Fix establish_connection configuration for custom defined models.

• [#1471] Add support for Ruby 3.0.

• [#1469] Check if redirect_uri exists.

• [#1465] Memoize nil doorkeeper_token.

• [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.

• [#1457] Make owner_id a bigint for newly-generated owner migrations

• [#1452] Empty previous_refresh_token only if present.

• [#1440] Validate empty host in redirect_uri.

• [#1438] Add form post response mode.

• [#1458] Make config.skip_client_authentication_for_password_grant a long term configuration option.

v5.5.0.rc1

• [#1435] Make error response not redirectable when client is unauthorized

• [#1426] Ensure ActiveRecord callbacks are executed on token revocation.

• [#1407] Remove redundant and complex to support helpers froms tests (should_have_json, etc).

• [#1416] Don't add introspection route if token introspection completely disabled.

• [#1410] Properly memoize current_resource_owner value (consider nil and false values).

• [#1415] Ignore PKCE params for non-PKCE grants.

• [#1418] Add ability to register custom OAuth Grant Flows.

• [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.

  [IMPORTANT] you need to create a new OAuth client (Doorkeeper::Application) if yoo didn't
  have it before and use client credentials in HTTP Basic auth if you previously used this grant
  flow without client authentication. For migration purposes you could enable
  skip_client_authentication_for_password_grant configuration option to true, but such behavior
  (as well as configuration option) would be completely removed in a future version of Doorkeeper.
  All the users of your provider application now need to include client credentials when they use
  this grant flow.

• [#1421] Add Resource Owner instance to authorization hook context for custom_access_token_expires_in
  configuration option to allow resource owner based Access Tokens TTL.

v5.4.0

• [#1404] Make Doorkeeper::Application#read_attribute_for_serialization public.