doorkeeper.rb in doorkeeper-5.2.0.rc1

- old
+ new

@@ -63,19 +63,10 @@
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then
   # falls back to the `:access_token` or `:bearer_token` params from the `params` object.
   # Check out the wiki for more information on customization
   # access_token_methods :from_bearer_authorization, :from_access_token_param, :from_bearer_param
 
-  # Change the native redirect uri for client apps
-  # When clients register with the following redirect uri, they won't be redirected to any server and
-  # the authorization code will be displayed within the provider
-  # The value can be any string. Use nil to disable this feature.
-  # When disabled, clients must provide a valid URL
-  # (Similar behaviour: https://developers.google.com/accounts/docs/OAuth2InstalledApp#choosingredirecturi)
-  #
-  # native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
-
   # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
   # by default in non-development environments). OAuth2 delegates security in
   # communication to the HTTPS protocol so it is wise to keep this enabled.
   #
   # force_ssl_in_redirect_uri !Rails.env.development?
@@ -112,9 +103,36 @@
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.
   # For example if dealing with a trusted application.
   # skip_authorization do |resource_owner, client|
   #   client.superapp? or resource_owner.admin?
+  # end
+
+  # Implement constraints in case you use Client Credentials to authenticate
+  # the introspection endpoint.
+  # By default allow introspection if the introspected token belongs to authorized client,
+  # OR token doesn't belong to any client (public token). Otherwise disallow.
+  #
+  # Params:
+  # `token` - the token to be introspected (see Doorkeeper::AccessToken)
+  # `client` - the client application authorized for the endpoint (see Doorkeeper::Application)
+  #
+  # You can completely ignore it:
+  # allow_token_introspection do |_token, _client|
+  #   false
+  # end
+  #
+  # Or you can define your custom check:
+  #   Adding `protected_resource` boolean column to applications table
+  #   to allow protected_resource client introspect the token of normal client.
+  #   In this case, protected resource client must be confidential.
+  #
+  # allow_token_introspection do |token, client|
+  #   if token.application
+  #     token.application == client || client.protected_resource?
+  #   else
+  #     true
+  #   end
   # end
 
   # WWW-Authenticate Realm (default "Doorkeeper").
   realm "Doorkeeper"
 end