v5.8.0

• [#1739] Add support for dynamic scopes
• [#1715] Fix token introspection invalid request reason
• [#1714] Fix Doorkeeper::AccessToken.find_or_create_for with empty scopes which raises NoMethodError
• [#1712] Add Pragma: no-cache to token response
• [#1726] Refactor token introspection class.
• [#1727] Allow to set null secret value for Applications if they are public.
• [#1735] Add pkce_code_challenge_methods config option.

v5.7.1

• [#1705] Add force_pkce option that requires non-confidential clients to use PKCE when requesting an access_token using an authorization code

v5.7.0

• [#1696] Add missing #issued_token method to OAuth::TokenResponse
• [#1697] Allow a TokenResponse body to be customized (memoize response body).
• [#1702] Fix bugs for error response in the form_post and error view
• [#1660] Custom access token attributes are now considered when finding matching tokens (fixes #1665). Introduce revoke_previous_client_credentials_token configuration option.

v5.6.9

• [#1691] Make new Doorkeeper errors backward compatible with older extensions.

v5.6.8

• [#1680] Fix handle_auth_errors :raise NotImplementedError

v5.6.7

• [#1662] Specify uri_redirect validation class explicitly.
• [#1652] Add custom attributes support to token generator.
• [#1667] Pass client instead of grant.application to find_or_create_access_token.
• [#1673] Honor custom_access_token_attributes in client credentials grant flow.
• [#1676] Improve AuthorizationsController error response handling
• [#1677] Fix URIHelper.valid_for_authorization? breaking for non url URIs.

v5.6.6

• [#1644] Update HTTP headers.
• [#1646] Block public clients automatic authorization skip.
• [#1648] Add custom token attributes to Refresh Token Request.
• [#1649] Fixed custom_access_token_attributes related errors.

v5.6.5

• [#1602] Allow custom data to be stored inside access grants/tokens.
• [#1634] Code refactoring for custom token attributes.
• [#1639] Add grant type validation to avoid Internal Server Error for DELETE /oauth/authorize endpoint.

v5.6.4

• [#1633] Apply ORM configuration in #to_prepare block to avoid autoloading errors.

v5.6.3

• [#1622] Drop support for Rubies 2.5 and 2.6
• [#1605] Fix URI validation for Ruby 3.2+.
• [#1625] Exclude endless access tokens from StaleRecordsCleaner.
• [#1626] Remove deprecated active_record_options config option.
• [#1631] Fix regression with redirect behavior after token lookup optimizations (redirect to app URI when found).
• [#1630] Special case unique index creation for refresh_token on SQL Server.
• [#1627] Lazy evaluate Doorkeeper config when loading files and executing initializers.