Merge open source v5.0.0 #38
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix lookup for matching tokens when application has additional scopes
Rails API support
…edirect-uri-when-making-auth-code-request Validate redirect_uri as the native URI when making authorization code requests
- fixed issue about code_challenge in redirect_uri - ensured, doorkeeper is still working, although PCKE migrations are not generated and migrated - addition to NEWS.md - addition to README.md
* Add missing NEWS.md entry * Add description for API option in initializer * Minor code changes
Implement PKCE
* Remove deprecated configuration methods * Clean ScopeChecker from the dead code * Refactor AuthorizationsController
…ecated Remove deprecated methods and clean dead code
Add Application#confidential Add dummy migration for Application#confidential Because Dummy app is now Rails 5.1, the old migrations' ancestor class needed to be explicitly the 4.2 variety. Expose app confidentiality in views & controllers Allow public applications to be found if secret is blank Don't use #client_via_uid fallback on Password strategy Since credentials will only contain UID when a public application is calling, the fallback method of finding by UID alone is dead code. Private apps are not allowed to be identified by UID alone.
Adds custom expiration time based on grant type
…entiality Allow public clients to authenticate without client_secret
Add rails generator that will create migration file to introduce `confidential` column for Applications. That will help legacy projects to migrate on Doorkeeper 5
…onfidential Fix NameError with confidential apps generator
This amends the URIChecker to allow authorization for requests that contain query params. The query params all must be defined in the client app's #redirect_uri and all defined params must be present. Their order does not matter. If there is no query param registered in the app's #redirect_uri then the previous behaviour occurs: stripping the query param from the request and comparing the URLs without it. Fixes doorkeeper-gem#1050
…cation-scopes-configured Configuration to enforce application scopes
…enticator_default doorkeeper-gem#1097: make admin controller forbidden by default
Improve admin_authenticator option description in initializer in order to comply with new behavior.
Add secure example for admin_authenticator configuration option.
…s-update Use RSpec master for Rails master
Better format callback URLs on index page
- When revoking authorization for an application, via `AuthorizedApplicationsController#destroy` revoke `AccessToken`s and `AccessGrant`s - Update `AccessToken.revoke_all_for` specs to verify scope is respected. These specs asserted that `AccessToken.all` wasn't empty but `.all` returns tokens that are revoked and therefore the tests weren't actually verifying that the `revoke_all_for` method didn't revoke `AccessToken`s outside of the intended scope.
Jw revoke patch
Creating an access token yields a response body with the parameter "expires_in" which is recommended as part of the OAuth2 spec. It makes sense to be consistent with this parameter on the info/show token equivalent endpoint instead of calling it "expires_in_seconds" This makes consumers of Doorkeeper write less code since the response from both POST /oauth/token and GET /oauth/token/info are more uniform. Rename scopes to scope for consistency with OAuth spec terminology Add NEWS entry
…nsistent Uses `expires_in` on token show endpoint for consistency
OAuth applications that obtain an access token using the "implicit" grant flow will have their ID set on the token record. Unfortunately this causes the revocation controller code to think it's as confidential application. Because of this, Doorkeeper enforces oauth client authentication and the revocation call fails. Fixes doorkeeper-gem#891 Add NEWS entry Add specs for both public and confidential apps in revocation
Use Application#confidential? to determine revocation auth eligibility
…y-errors-as-json [API mode] Respond with JSON-formatted error for Authorizations #new action
It would be tremendously helpful if the documentation included a reference to Doorkeeper providing CSRF protection by default. I just spent 30 minutes trying to debug why my client was failing with CSRF protections even though my app was configured not to use it; hopefully this will help others as well. (In the end, I wasn't able to use `api_only`, as the JSON response isn't what I was expecting or wanting; I had to monkey-patch the controller. Would you be open to a pull request that added an option to control CSRF protection separately from `api_only`?)
Add note about Rails CSRF protections
…750_token_type Change the token_type initials of the Banner Token to uppercase
Add a "Reviewed by Hound" badge
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.