v5.4.0.rc1

• [#1366] Sets expiry of token generated using refresh_token to that of original token. (Fixes #1364)

• [#1354] Add authorize_resource_owner_for_client option to authorize the calling user to access an application.

• [#1355] Allow to enable polymorphic Resource Owner association for Access Token & Grant
  models (use_polymorphic_resource_owner configuration option).

  [IMPORTANT] Review your custom patches or extensions for Doorkeeper internals if you
  have such - since now Doorkeeper passes Resource Owner instance to every objects and not
  just it's ID. See PR description for details.

• [#1356] Remove duplicated scopes from Access Tokens and Grants on attribute assignment.

• [#1357] Fix Doorkeeper::OAuth::PreAuthorization#as_json method causing
  Stack level too deep error with AMS (fix #1312).

• [#1358] Deprecate active_record_options configuration option.

• [#1359] Refactor Doorkeeper configuration options DSL to make it easy to reuse it
  in external extensions.

• [#1360] Increase matching_token_for lookup size to 10 000 and make it configurable.

• [#1371] Fix controllers to use valid classes in case Doorkeeper has custom models configured.

• [#1370] Fix revocation response for invalid token and unauthorized requests to conform with RFC 7009 (fixes #1362).

  [IMPORTANT] now fully according to RFC 7009 nobody can do a revocation request without client_id
  (for public clients) and client_secret (for private clients). Please update your apps to include that
  info in the revocation request payload.

• [#1373] Make Doorkeeper routes mapper reusable in extensions.

• [#1374] Revoke and issue client credentials token in a transaction with a row lock.

• [#1384] Add context object with auth/pre_auth and issued_token for authorization hooks.

• [#1387] Add AccessToken#create_for and use in RefreshTokenRequest.

• [#1392] Fix enable_polymorphic_resource_owner migration template to have proper index name.

• [#1393] Improve Applications #show page with more informative data on client secret and scopes.

• [#1394] Use Ruby autoload feature to load Doorkeeper files.

v5.3.1

• [#1360] Backport: Increase matching_token_for batch lookup size to 10 000 and make it configurable.

v.5.2.4

• [#1360] Backport: Increase matching_token_for batch lookup size to 10 000 and make it configurable.

v5.3.0

• [#1339] Validate Resource Owner in PasswordAccessTokenRequest against nil and false values.

• [#1341] Fix refresh_token_revoked_on_use with hash_token_secrets enabled.

• [#1343] Fix ruby 2.7 kwargs warning in InvalidTokenResponse.

• [#1345] Allow to set custom classes for Doorkeeper models, extract reusable AR mixins.

• [#1346] Refactor Doorkeeper::Application#to_json into convenient #as_json (fix #1344).

• [#1349] Fix Doorkeeper::Application AR associations using an incorrect foreign key name when using a custom class.

• [#1318] Make existing token revocation for client credentials optional and disable it by default.

  [IMPORTANT] This is a change compared to the behaviour of version 5.2. If you were relying on access tokens being revoked once the same client requested a new access token, reenable it with revoke_previous_client_credentials_token in Doorkeeper initialization file.

v5.2.3

• [#1334] Remove application_secret flash helper and redirect_to keyword.
• [#1331] Move redirect_uri_validator to where it is used (Application model).
• [#1326] Move response_type check in pre_authorization to a method to be easily to override.
• [#1329] Fix find_in_batches order warning.

v5.2.2

• [#1320] Call configured authenticate_resource_owner method once per request.
• [#1315] Allow generation of new secret with Doorkeeper::Application#renew_secret.
• [#1309] Allow Doorkeeper::Application#to_json to work without arguments.

v5.2.1

• [#1308] Fix flash types for api_only mode (no flashes for ActionController::API).
• [#1306] Fix interpolation of missing_param i18n.

v5.2.0

• [#1305] Make Doorkeeper::ApplicationController to inherit from ActionController::API in cases when api_mode enabled (fixes #1302).

v5.2.0.rc3

• [#1298] Slice strong params so doesn't error with Rails forms.
• [#1300] Limiting access to attributes of pre_authorization.
• [#1296] Adding client_id to strong parameters.
• [#1293] Move ar specific redirect uri validator to ar orm directory.
• [#1288] Allow to pass attributes to the Doorkeeper::OAuth::PreAuthorization#as_json method to customize
  the PreAuthorization response.
• [#1286] Add ability to customize grant flows per application (OAuth client) (#1245 , #1207)
• [#1283] Allow to customize base class for Doorkeeper::ApplicationMetalController (new configuration
  option called base_metal_controller (fix #1273).
• [#1277] Prevent requested scope be empty on authorization request, handle and add description for invalid request.

v5.2.0.rc2

• [#1270] Find matching tokens in batches for reuse_access_token option (fix #1193).
• [#1271] Reintroduce existing token revocation for client credentials.
• [#1269] Update initializer template documentation.
• [#1266] Use strong parameters within pre-authorization.
• [#1264] Add :before_successful_authorization and :after_successful_authorization hooks in TokensController
• [#1263] Response properly when introspection fails and fix configurations's user guide.