v5.5.0.rc2

• [#1473] Enable Applications and AuthorizedApplications controllers in API mode.

  [IMPORTANT] you can still skip these controllers using skip_controllers in
  use_doorkeeper inside routes.rb. Please do it in case you don't need them.

• [#1472] Fix establish_connection configuration for custom defined models.

• [#1471] Add support for Ruby 3.0.

• [#1469] Check if redirect_uri exists.

• [#1465] Memoize nil doorkeeper_token.

• [#1459] Use built-in Ruby option to remove padding in PKCE code challenge value.

• [#1457] Make owner_id a bigint for newly-generated owner migrations

• [#1452] Empty previous_refresh_token only if present.

• [#1440] Validate empty host in redirect_uri.

• [#1438] Add form post response mode.

• [#1458] Make config.skip_client_authentication_for_password_grant a long term configuration option.

v5.5.0.rc1

• [#1435] Make error response not redirectable when client is unauthorized

• [#1426] Ensure ActiveRecord callbacks are executed on token revocation.

• [#1407] Remove redundant and complex to support helpers froms tests (should_have_json, etc).

• [#1416] Don't add introspection route if token introspection completely disabled.

• [#1410] Properly memoize current_resource_owner value (consider nil and false values).

• [#1415] Ignore PKCE params for non-PKCE grants.

• [#1418] Add ability to register custom OAuth Grant Flows.

• [#1420] Require client authentication for Resource Owner Password Grant as stated in OAuth RFC.

  [IMPORTANT] you need to create a new OAuth client (Doorkeeper::Application) if yoo didn't
  have it before and use client credentials in HTTP Basic auth if you previously used this grant
  flow without client authentication. For migration purposes you could enable
  skip_client_authentication_for_password_grant configuration option to true, but such behavior
  (as well as configuration option) would be completely removed in a future version of Doorkeeper.
  All the users of your provider application now need to include client credentials when they use
  this grant flow.

• [#1421] Add Resource Owner instance to authorization hook context for custom_access_token_expires_in
  configuration option to allow resource owner based Access Tokens TTL.

v5.4.0

• [#1404] Make Doorkeeper::Application#read_attribute_for_serialization public.

v5.3.3

Bump version

v5.2.6

Bump version

v5.1.2

Bump version

v5.4.0.rc2

• [#1371] Add #as_json method and attributes serialization restriction for Application model.
  Fixes information disclosure vulnerability (CVE-2020-10187).

  [IMPORTANT] you need to re-implement #as_json method for Doorkeeper Application model
  if you previously used #to_json serialization with custom options or attributes or rely on
  JSON response from /oauth/applications.json or /oauth/authorized_applications.json. This change
  is a breaking change which restricts serialized attributes to a very small set of columns.

• [#1395] Fix NameError: uninitialized constant Doorkeeper::AccessToken for Rake tasks.

• [#1397] Add as: :doorkeeper_application on Doorkeeper application form in order to support
  custom configured application model.

• [#1400] Correctly yield the application instance to allow_grant_flow_for_client? config
  option (fixes #1398).

• [#1402] Handle trying authorization with client credentials.

v5.3.2

• [#1371] Backport: Add #as_json method and attributes serialization restriction for Application model.
  Fixes information disclosure vulnerability (CVE-2020-10187).

v5.2.5

• [#1371] Backport: Add #as_json method and attributes serialization restriction for Application model.
  Fixes information disclosure vulnerability (CVE-2020-10187).

v5.1.1

• [#1371] Backport: Add #as_json method and attributes serialization restriction for Application model.
  Fixes information disclosure vulnerability (CVE-2020-10187).