# frozen_string_literal: true
+require_relative "../../lib/oauth"
+
Doorkeeper.configure do
# Change the ORM that doorkeeper will use (requires ORM extensions installed).
# Check the list of supported ORMs here: https://github.com/doorkeeper-gem/doorkeeper#orms
# end
# end
+ application_class "Oauth2Application" unless Settings.status == "database_offline"
+
# Enables polymorphic Resource Owner association for Access Tokens and Access Grants.
# By default this option is disabled.
#
#
# `context` has the following properties available:
#
- # `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
- # `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
- # `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+ # * `client` - the OAuth client application (see Doorkeeper::OAuth::Client)
+ # * `grant_type` - the grant type of the request (see Doorkeeper::OAuth)
+ # * `scopes` - the requested scopes (see Doorkeeper::OAuth::Scopes)
+ # * `resource_owner` - authorized resource owner instance (if present)
#
# custom_access_token_expires_in do |context|
- # context.client.application.additional_settings.implicit_oauth_expiration
+ # context.client.additional_settings.implicit_oauth_expiration
# end
# Use a custom class for generating the access token.
# The controller +Doorkeeper::ApplicationController+ inherits from.
# Defaults to +ActionController::Base+ unless +api_only+ is set, which changes the default to
# +ActionController::API+. The return value of this option must be a stringified class name.
- # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-base-controller
+ # See https://doorkeeper.gitbook.io/guides/configuration/other-configurations#custom-controllers
base_controller "ApplicationController"
# Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/383
#
# You can not enable this option together with +hash_token_secrets+.
- #
- # reuse_access_token
+
+ reuse_access_token
# In case you enabled `reuse_access_token` option Doorkeeper will try to find matching
# token using `matching_token_for` Access Token API that searches for valid records
# since plain values can no longer be retrieved.
#
# Note: If you are already a user of doorkeeper and have existing tokens
- # in your installation, they will be invalid without enabling the additional
- # setting `fallback_to_plain_secrets` below.
+ # in your installation, they will be invalid without adding 'fallback: :plain'.
+ #
+ # hash_token_secrets
+ # By default, token secrets will be hashed using the
+ # +Doorkeeper::Hashing::SHA256+ strategy.
+ #
+ # If you wish to use another hashing implementation, you can override
+ # this strategy as follows:
+
+ hash_token_secrets :using => "::Doorkeeper::SecretStoring::Plain",
+ :fallback => "::Doorkeeper::SecretStoring::Sha256Hash"
- hash_token_secrets
+ # Keep in mind that changing the hashing function will invalidate all existing
+ # secrets, if there are any.
# Hash application secrets before persisting them.
hash_application_secrets
+ # By default, applications will be hashed
+ # with the +Doorkeeper::SecretStoring::SHA256+ strategy.
+ #
+ # If you wish to use bcrypt for application secret hashing, uncomment
+ # this line instead:
+ #
+ # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt'
+
# When the above option is enabled, and a hashed token or secret is not found,
# you can allow to fall back to another strategy. For users upgrading
# doorkeeper and wishing to enable hashing, you will probably want to enable
# This will ensure that old access tokens and secrets
# will remain valid even if the hashing above is enabled.
#
- # fallback_to_plain_secrets
+ # This can be done by adding 'fallback: plain', e.g. :
+ #
+ # hash_application_secrets using: '::Doorkeeper::SecretStoring::BCrypt', fallback: :plain
# Issue access tokens with refresh token (disabled by default), you may also
# pass a block which accepts `context` to customize when to give a refresh
# https://doorkeeper.gitbook.io/guides/ruby-on-rails/scopes
# default_scopes :public
- optional_scopes(*Oauth::SCOPES)
+ optional_scopes(*Oauth::SCOPES, *Oauth::PRIVILEGED_SCOPES)
# Allows to restrict only certain scopes for grant_type.
# By default, all the scopes will be available for all the grant types.
# #call can be used in order to allow conditional checks (to allow non-SSL
# redirects to localhost for example).
- force_ssl_in_redirect_uri !Rails.env.development?
+ force_ssl_in_redirect_uri do |uri|
+ !Rails.env.development? && uri.host != "127.0.0.1"
+ end
# Specify what redirect URI's you want to block during Application creation.
# Any redirect URI is whitelisted by default.
# Under some circumstances you might want to have applications auto-approved,
# so that the user skips the authorization step.
# For example if dealing with a trusted application.
- #
- # skip_authorization do |resource_owner, client|
- # client.superapp? or resource_owner.admin?
- # end
+
+ skip_authorization do |_, client|
+ client.scopes.include?("skip_authorization")
+ end
# Configure custom constraints for the Token Introspection request.
# By default this configuration option allows to introspect a token by another