default scopes to assign to a client application, ["profile.read"] by default.

type of the generated access token, "bearer" by default.

The number of seconds an oauth grant is valid after creation, 5 minutes by default.

The number of seconds an oauth token is valid after creation, 5 minutes by default.

The number of seconds a refresh token is valid after creation, 1 year by default.

protection policy for the refresh token (rotation by default).

character used to separate scopes in the db field value, white-space by default.

list of supported auth methods for the token endpoint (contains “client_secret_basic” and “client_secret_post” by default).

list of supported grant types.

list of supported response types.

list of supported response modes.

list of supported URI schemes for a client application’s “redirect_uri”, %w[https] by default.

the db table where oauth applications are stored, :oauth_applications by default.

the db column where the oauth application primary key is stored, :id by default.

the db column where the oauth application account ID it belongs to is stored, :account_id by default.

the db column where the oauth application name is stored, :name by default.

the db column where the oauth application description is stored, :description by default.

the db column where the oauth allowed scopes are stored, :scopes by default.

the db column where the oauth application client ID is stored, :client_id by default.

the db column where the oauth application plaintext client secret is stored, :client_secret by default.

the db column where the oauth application hashed client secret is stored, :client_secret by default.

the db column where the oauth application redirect URI is stored, :redirect_uri by default.

the db column where the oauth application homepage URL is stored, :homepage_url by default.

the db column where the oauth application contacts are stored, :contacts by default.

the db column where the oauth application supported grant types are stored, :grant_types by default.

the db column where the oauth application supported response types are stored, :response_types by default.

the db column where the oauth application supported response modes are stored, :response_modes by default.

the db column where the oauth application JSON Web Keys are stored, :jwks by default.

the db column where the oauth application JSON Web Keys URI is stored, :jwks_uri by default.

the db column where the oauth application logo URL is stored, :logo_uri by default.

the db column where the oauth application policy URL is stored, :policy_uri by default.

the db column where the oauth application terms of service URL is stored, :tos_uri by default.

the db column where the oauth application software ID is stored, :software_id by default.

the db column where the oauth application software version is stored, :software_version by default.

the db column where the oauth application supported auth method for the token endpoint is stored, :software_id by default.

the db table where oauth grants are stored, :oauth_grants by default.

the db column where the oauth grant primary key is stored, :id by default.

the db column where the oauth grant oauth application ID is stored, :oauth_application_id by default.

the db column where the oauth grant account ID is stored, :account_id by default.

the db column where the grant type is stored, :type by default.

the db column where the oauth grant authorization code is stored, :code by default.

the db column where the oauth grant redirect URI is stored, :redirect_uri by default.

the db column where the oauth grant scopes are stored, <tt>:scopes<tt> by default.

the db column where the oauth grant expiration time is stored, :expires_in by default.

the db column where the oauth grant revocation time is stored, :revoked_at by default.

the db column where the oauth token access token is stored (when it’s stored), :token by default.

the db column where the refresh token is stored, :refresh_token by default.

the db column where the access token hash is stored, <tt>:token<tt> by default.

the db column where the refresh token hash is stored, <tt>:refresh_token<tt> by default.

The content type to set for json responses, application/json by default.

The regexp to retrieve a valid json content type.

HTTP status code used for authorization errors, 401 by default.

HTTP status code used for invalid responses, 400 by default.

HTTP status code used for already in use responses, 409 by default.

whether the application responds only with json.

error description for the “invalid_client” OAuth error code, "Invalid client" by default.

error description for the “invalid_grant_type” OAuth error code, "Invalid grant type" by default.

oauth error code for using invalid grants, "unsupported_grant_type" by default.

error description for the “invalid_grant” OAuth error code, "Invalid grant" by default.

error description for the “invalid_scope” OAuth error code, "Invalid scope" by default.

error description for the “unsupported_token_type” OAuth error code, "Invalid token type hint" by default.

oauth error code for when a token is already in use, "invalid_request" by default.

error description for the “already_in_use” OAuth error code.

OAuth service documentation URL, nil by default.

UI locales supported in the OAuth journey, nil by default.

OAuth use of data and client requirements URL, nil by default.

OAuth terms of service, nil by default.

flag to signal whether it’s an authorization server, true by default.

the route for token generation, defaults to token.

Run arbitrary code before the token route.

Run arbitrary code before generating an access token.

max retries for token generation.

when true, it’ll reuse the same access token for a given account/client application for each new verified grant.

The flash error to display when authorization is required.

The flash error to display when an unauthorized account tries to revoke a token.

button label which cancels the device verification.

performs a GET http request to the given URL (or a POST with url-encoded body, if form data is passed)

store where http requests get cached according to the HTTP cache rules.

retrieves the access token from the request (defaults to fetching from the “Authorization” header).

verifies if provided secret matches the application’s client secret.

calculates the hash of a given client secret.

hashes an access token (when the token hash is stored in the db).

returns the authorization server origin URL.

generates random base64 strings, used for raw access tokens, client IDs, etc.

uniqueness index to use in ON CONFLICT queries (when supported).

requires the account to be logged in by default (calls ‘require_account`), can be overriden to add more functionality (i.e. requiring 2FA before authorization).

returns a dataset filtered for an account id (overriden in rails to use Active Record Account model)

returns a dataset filtered for an oauth application id (overriden in rails to use Active Record OAuthApplication model)