v4.4.1

• [#1127] Backport token type to comply with the RFC6750 specification.
• [#1125] Backport Quote surround I18n yes/no keys

v5.0.0.rc2

• [#1106] Restrict access to AdminController with 'Forbidden 403' if admin_authenticator is not
  configured by developers..
• [#1108] Simple formating of callback URLs when listing oauth applications
• [#1116] AccessGrants will now be revoked along with AccessTokens when
  hitting the AuthorizedApplicationController#destroy route.
• [#1114] Make token info endpoint's attributes consistent with token creation
• [#1119] Fix token revocation for OAuth apps using "implicit" grant flow
• [#1122] Fix AuthorizationsController#new error response to be in JSON format

v4.4.0

• [#1120] Backport security fix from 5.x for token revocation when using public clients

v5.0.0.rc1

• [#1103] Allow customizing use_refresh_token
• [#1089] Removed enable_pkce_without_secret configuration option
• [#1102] Expiration time based on scopes
• [#1099] All the configuration variables in Doorkeeper.configuration now
  always return a non-nil value (true or false)
• [#1099] ORM / Query optimization: Do not revoke the refresh token if it is not enabled
  in doorkeeper.rb
• [#996] Expiration Time Base On Grant Type
• [#997] Allow PKCE authorization_code flow as specified in RFC7636
• [#907] Fix lookup for matching tokens in certain edge-cases
• [#992] Add API option to use Doorkeeper without management views for API only
  Rails applications (api_only)
• [#1045] Validate redirect_uri as the native URI when making authorization code requests
• [#1048] Remove deprecated Doorkeeper#configured?, Doorkeeper#database_installed?, and
  Doorkeeper#installed? method
• [#1031] Allow public clients to authenticate without client_secret. Define an app as
  either public or private/confidential
• [#1010] Add configuration to enforce configured scopes (default_scopes and
  optional_scopes) for applications
• [#1060] Ensure that the native redirect_uri parameter matches with redirect_uri of the client
• [#1064] Add :before_successful_authorization and :after_successful_authorization hooks
• [#1069] Upgrade Bootstrap to 4 for Admin
• [#1068] Add rake task to cleanup databases that can become large over time
• [#1072] AuthorizationsController: Memoize strategy.authorize_response result to enable
  subclasses to use the response object.
• [#1075] Call before_successful_authorization and after_successful_authorization hooks
  on create action as well as new
• [#1082] Fix #916: remember routes mapping and use it required places (fix error with
  customized Token Info route).
• [#1086, #1088] Fix bug with receiving default scopes in the token even if they are
  not present in the application scopes (use scopes intersection).
• [#1076] Add config to enforce content type to application/x-www-form-urlencoded
• Fix bug with force_ssl_in_redirect_uri when it breaks existing applications with an
  SSL redirect_uri.

v4.3.2

• [#1053] Support authorizing with query params in the request redirect_uri if explicitly present in app's Application#redirect_uri

v4.3.1

• Remove BaseRecord and introduce additional concern for ordering methods to fix
  braking changes for Doorkeeper models.
• [#1032] Refactor BaseRequest callbacks into configurable lambdas
• [#1040] Clear mixins from ActiveRecord DSL and save only overridable API. It
  allows to use this mixins in Doorkeeper ORM extensions with minimum code boilerplate.

v4.3.0

• [#976] Fix to invalidate the second redirect URI when the first URI is the native URI
• [#1035] Allow Application#redirect_uri= to handle array of URIs.
• [#1036] Allow to forbid Application redirect URI's with specific rules.
• [#1029] Deprecate order_method and introduce ordered_by. Sort applications
  by created_at in index action.
• [#1033] Allow Doorkeeper configuration option #force_ssl_in_redirect_uri to be a callable object.
• Fix Grape integration & add specs for it
• [#913] Deferred ORM (ActiveRecord) models loading
• [#943] Fix Access Token token generation when certain errors occur in custom token generators
• [#1026] Implement RFC7662 - OAuth 2.0 Token Introspection
• [#985] Generate valid migration files for Rails >= 5
• [#972] Replace Struct subclassing with block-form initialization
• [#1003] Use URL query param to pass through native redirect auth code so automated apps can find it.
• [#868] Scopes#& and Scopes#+ now take an array or any other enumerable
  object.
• [#1019] Remove translation not in use: invalid_resource_owner.
• Use Ruby 2 hash style syntax (min required Ruby version = 2.1)
• [#948] Make Scopes.<=> work with any "other" value.
• [#974] Redirect URI is checked without query params within AuthorizationCodeRequest.
• [#1004] More explicit help text for native_redirect_uri.
• [#1023] Update Ruby versions and test against 2.5.0 on Travis CI.
• [#1024] Migrate from FactoryGirl to FactoryBot.
• [#1025] Improve documentation for adding foreign keys
• [#1028] Make it possible to have composit strategy names.

v4.2.6

• [#970] Escape certain attributes in authorization forms.

v4.2.5

• [#936] Deprecate Doorkeeper#configured?, Doorkeeper#database_installed?, and
  Doorkeeper#installed?
• [#909] Add InvalidTokenResponse#reason reader method to allow read the kind
  of invalid token error.
• [#928] Test against more recent Ruby versions
• Small refactorings within the codebase
• [#921] Switch to Appraisal, and test against Rails master
• [#892] Add minimum Ruby version requirement

v4.2.0

• Security fix: Address CVE-2016-6582, implement token revocation according to
  spec (tokens might not be revoked if client follows the spec).
• [#873] Add hooks to Doorkeeper::ApplicationMetalController
• [#871] Allow downstream users to better utilize doorkeeper spec factories by
  eliminating name conflict on :user factory.