diff --git a/doorkeeper.gemspec b/doorkeeper.gemspec
index 6dc071085..3b24fe210 100644
--- a/doorkeeper.gemspec
+++ b/doorkeeper.gemspec
@@ -27,4 +27,26 @@ Gem::Specification.new do |s|
   s.add_development_dependency "generator_spec", "~> 0.9.3"
   s.add_development_dependency "rake", ">= 11.3.0"
   s.add_development_dependency "rspec-rails"
+
+  s.post_install_message = %q{
+
+
+  WARNING: This is a security release that addresses token revocation not working for public apps (CVE-2018-1000211)
+
+  There is no breaking change in this release, however to take advantage of the security fix you must:
+
+    1. Run `rails generate doorkeeper:add_client_confidentiality` for the migration
+    2. Review your OAuth apps and determine which ones exclusively use public grant flows (eg implicit)
+    3. Update their `confidential` column to `false` for those public apps
+
+  This is a backported security release.
+
+  For more information:
+
+    * https://github.com/doorkeeper-gem/doorkeeper/pull/1119
+    * https://github.com/doorkeeper-gem/doorkeeper/issues/891
+
+
+
+  }
 end
diff --git a/lib/doorkeeper/orm/active_record/application.rb b/lib/doorkeeper/orm/active_record/application.rb
index a3ca6773d..bfd930f7c 100644
--- a/lib/doorkeeper/orm/active_record/application.rb
+++ b/lib/doorkeeper/orm/active_record/application.rb
@@ -32,6 +32,14 @@ def self.authorized_for(resource_owner)
       where(id: resource_access_tokens.select(:application_id).distinct)
     end
 
+    # Fallback to existing, default behaviour of assuming all apps to be
+    # confidential if the migration hasn't been run
+    def confidential
+      self.class.column_names.include?('confidential') ? super : true
+    end
+
+    alias_method :confidential?, :confidential
+
     private
 
     def generate_uid
diff --git a/lib/generators/doorkeeper/add_client_confidentiality_generator.rb b/lib/generators/doorkeeper/add_client_confidentiality_generator.rb
new file mode 100644
index 000000000..bff7da11b
--- /dev/null
+++ b/lib/generators/doorkeeper/add_client_confidentiality_generator.rb
@@ -0,0 +1,27 @@
+require 'rails/generators/active_record'
+
+class Doorkeeper::AddClientConfidentialityGenerator < ::Rails::Generators::Base
+  include Rails::Generators::Migration
+  source_root File.expand_path('../templates', __FILE__)
+  desc 'Adds a migration to fix CVE-2018-1000211.'
+
+  def install
+    migration_template(
+      'add_confidential_to_application_migration.rb.erb',
+      'db/migrate/add_confidential_to_doorkeeper_application.rb',
+      migration_version: migration_version
+    )
+  end
+
+  def self.next_migration_number(dirname)
+    ActiveRecord::Generators::Base.next_migration_number(dirname)
+  end
+
+  private
+
+  def migration_version
+    if ActiveRecord::VERSION::MAJOR >= 5
+      "[#{ActiveRecord::VERSION::MAJOR}.#{ActiveRecord::VERSION::MINOR}]"
+    end
+  end
+end
diff --git a/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb b/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb
new file mode 100644
index 000000000..d6d2ae856
--- /dev/null
+++ b/lib/generators/doorkeeper/templates/add_confidential_to_application_migration.rb.erb
@@ -0,0 +1,11 @@
+class AddConfidentialToDoorkeeperApplication < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column(
+      :oauth_applications,
+      :confidential,
+      :boolean,
+      null: false,
+      default: true # maintaining backwards compatibility: require secrets
+    )
+  end
+end