Ignoring unrecognized custom attributes

lib/doorkeeper/oauth/authorization/code.rb

@@ -50,8 +50,11 @@ def access_grant_attributes
 
         def custom_attributes
           # Custom access token attributes are saved into the access grant,
-          # and then included in subsequently generated access tokens.
-          @pre_auth.custom_access_token_attributes.to_h.with_indifferent_access
+          # and then included in subsequently generated access tokens. Only
+          # recognized attributes are saved.
+          @pre_auth.custom_access_token_attributes.to_h.with_indifferent_access.select do |attrib, _v|
+            Doorkeeper.config.access_grant_model.has_attribute?(attrib)
+          end
         end
 
         def pkce_attributes

lib/doorkeeper/oauth/base_request.rb

@@ -38,6 +38,11 @@ def find_or_create_access_token(client, resource_owner, scopes, custom_attribute
           use_refresh_token: Authorization::Token.refresh_token_enabled?(server, context),
         }
 
+        # Only select custom attributes that the token model recognizes.
+        custom_attributes.select! do |attrib, _v|
+          Doorkeeper.config.access_token_model.has_attribute?(attrib)
+        end
+
         @access_token =
           Doorkeeper.config.access_token_model.find_or_create_for(**token_attributes.merge(custom_attributes))
       end