Changelog
All notable changes to this project will be documented in this file.
The format (since v2) is based on Keep a Changelog v1,
and this project adheres to Semantic Versioning v2.
Unreleased
Added
Changed
Deprecated
Removed
Fixed
Security
2.0.11 - 2025-05-23
- TAG: v2.0.11
- COVERAGE: 100.00% – 518/518 lines in 14 files
- BRANCH COVERAGE: 100.00% – 172/172 branches in 14 files
- 80.00% documented
    Added
- 
gh651 - :snaky_hash_klassoption (@pboling)
- More documentation
- Codeberg as ethical mirror (@pboling)
    - https://codeberg.org/oauth-xx/oauth2
 
- Don’t check for cert if SKIP_GEM_SIGNING is set (@pboling)
- All runtime deps, including oauth-xx sibling gems, are now tested against HEAD (@pboling)
- YARD config, GFM compatible with relative file links (@pboling)
- Documentation site on GitHub Pages (@pboling)
- !649 - Test compatibility with all key minor versions of Hashie v0, v1, v2, v3, v4, v5, HEAD (@pboling)
- 
gh651 - Mock OAuth2 server for testing (@pboling)
    - https://github.com/navikt/mock-oauth2-server
        Changed
 
- https://github.com/navikt/mock-oauth2-server
        
- 
gh651 - Upgraded to snaky_hash v2.0.3 (@pboling)
    - Provides solution for serialization issues
 
- Updated spec.homepage_uriin gemspec to GitHub Pages YARD documentation site (@pboling)Fixed
- 
gh650 - Regression in return type of OAuth2::Response#parsed(@pboling)
- Incorrect documentation related to silencing warnings (@pboling)
2.0.10 - 2025-05-17
- TAG: v2.0.10
- COVERAGE: 100.00% – 518/518 lines in 14 files
- BRANCH COVERAGE: 100.00% – 170/170 branches in 14 files
- 79.05% documented
    Added
- 
gh!632 - Added funding.yml(@Aboling0)
- 
!635 - Added .gitlab-ci.yml(@jessieay)
- #638 - Documentation of support for ILO Fundamental Principles of Rights at Work (@pboling)
- 
!642 - 20-year certificate for signing gem releases, expires 2045-04-29 (@pboling)
    - Gemspec metadata
        - funding_uri
- news_uri
- mailing_list_uri
 
- SHA256 and SHA512 Checksums for release
 
- Gemspec metadata
        
- 
!643 - Add token_nameoption (@pboling)- Specify the parameter name that identifies the access token
 
- 
!645 - Add OAuth2::OAUTH_DEBUGconstant, based on `ENV[“OAUTH_DEBUG”] (@pboling)
- 
!646 - Add OAuth2.config.silence_extra_tokens_warning, default: false (@pboling)
- 
!647 - Add IETF RFC 7009 Token Revocation compliant (@pboling)
    - OAuth2::Client#revoke_token
- OAuth2::AccessToken#revoke
- See: https://datatracker.ietf.org/doc/html/rfc7009
 
- gh!644, gh!645 - Added CITATION.cff (@Aboling0)
- 
!648 - Improved documentation (@pboling)
    Changed
- Default value of OAuth2.config.silence_extra_tokens_warningwasfalse, nowtrue(@pboling)
- Gem releases are now cryptographically signed, with a 20-year cert (@pboling)
    - Allow linux distros to build release without signing, as their package managers sign independently
 
- 
!647 - OAuth2::AccessToken#refreshnow supports block param pass through (@pboling)
- 
!647 - OAuth2.configis no longer writable (@pboling)
- 
!647 - Errors raised by OAuth2::AccessTokenare now alwaysOAuth2::Errorand have better metadata (@pboling)Fixed
- 
#95 - restoring an access token via AccessToken#from_hash(@pboling)- This was a 13 year old bug report. 😘
 
- 
#619 - Internal options (like snaky,raise_errors, andparse) are no longer included in request (@pboling)
- 
!633 - Spaces will now be encoded as %20instead of+(@nov.matake)
- 
!634 - CHANGELOG.mddocumentation fix (@skuwa229)
- 
!638 - fix expired?whenexpires_inis0(@disep)
- 
!639 - Only instantiate OAuth2::Errorifraise_errorsoption istrue(@glytch2)
- 
#639 - AccessToken#to_hashis now serializable, just a regular Hash (@pboling)
- 
!640 - README.mddocumentation fix (@martinezcoder)
- 
!641 - Do not include sensitive information in the inspect(@manuelvanrijn)
- #641 - Made default JSON response parser more resilient (@pboling)
- #645 - Response no longer becomes a snaky hash (@pboling)
- 
gh!646 - Change requiretorequire_relative(improve performance) (@Aboling0)
2.0.9 - 2022-09-16
- TAG: v2.0.9
    Added
- More specs (@pboling)
    Changed
- Complete migration to main branch as default (@pboling)
- Complete migration to Gitlab, updating all links, and references in VCS-managed files (@pboling)
2.0.8 - 2022-09-01
- TAG: v2.0.8
    Changed
- 
!630 - Extract snaky_hash to external dependency (@pboling)
    Added
- !631 - New global configuration option OAuth2.config.silence_extra_tokens_warning (default: false) fixes #628
2.0.7 - 2022-08-22
- TAG: v2.0.7
    Added
- 
!629 - Allow POST of JSON to get token (@pboling, @terracatta)
    Fixed
- 
!626 - Fixes a regression in 2.0.6. Will now prefer the key order from the lookup, not the hash keys (@rickselby)
    - Note: This fixes compatibility with omniauth-oauth2and AWS
 
- Note: This fixes compatibility with 
- !625 - Fixes the printed version in the post install message (@hasghari)
2.0.6 - 2022-07-13
- TAG: v2.0.6
    Fixed
- !624 - Fixes a regression in v2.0.5, where an error would be raised in refresh_token flows due to (legitimate) lack of access_token (@pboling)
2.0.5 - 2022-07-07
- TAG: v2.0.5
    Fixed
- !620 - Documentation improvements, to help with upgrading (@swanson)
- 
!621 - Fixed #528 and #619 (@pboling)
    - All data in responses is now returned, with the access token removed and set as token- 
refresh_tokenis no longer dropped
- 
BREAKING: Microsoft’s id_tokenis no longer left asaccess_token['id_token'], but moved to the standardaccess_token.tokenthat all other strategies use
 
- 
- Remove parseandsnakyfrom options so they don’t get included in response
- There is now 100% test coverage, for lines and branches, and it will stay that way.
 
- All data in responses is now returned, with the access token removed and set as 
2.0.4 - 2022-07-01
- TAG: v2.0.4
    Fixed
- 
!618 - In some scenarios the snakyoption default value was not applied (@pboling)
2.0.3 - 2022-06-28
- TAG: v2.0.3
    Added
- 
!611 - Proper deprecation warnings for extract_access_tokenargument (@pboling)
- 
!612 - Add snaky: falseoption to skip conversion toOAuth2::SnakyHash(default: true) (@pboling)Fixed
- 
!608 - Wrap Faraday::TimeoutErrorinOAuth2::TimeoutError(@nbibler)
- 
!615 - Fix support for requests with blocks, see Faraday::Connection#run_request(@pboling)
2.0.2 - 2022-06-24
- TAG: v2.0.2
    Fixed
- 
!604 - Wrap Faraday::TimeoutErrorinOAuth2::TimeoutError(@stanhu)
- 
!606 - Ruby 2.7 deprecation warning fix: Move access_token_classparameter intoClientconstructor (@stanhu)
- 
!607 - CHANGELOG correction, reference to OAuth2::ConnectionError(@zavan)
2.0.1 - 2022-06-22
- TAG: v2.0.1
    Added
- Documentation improvements (@pboling)
- Increased test coverage to 99% (@pboling)
2.0.0 - 2022-06-21
- TAG: v2.0.0
    Added
- !158, !344 - Optionally pass raw response to parsers (@niels)
- !190, !332, !334, !335, !360, !426, !427, !461 - Documentation (@josephpage, @pboling, @meganemura, @joshRpowell, @elliotcm)
- !220 - Support IETF rfc7523 JWT Bearer Tokens Draft 04+ (@jhmoore)
- !298 - Set the response object on the access token on Client#get_token for debugging (@cpetschnig)
- 
!305 - Option: OAuth2::Client#get_token-:access_token_class(AccessToken); user specified class to use for all calls toget_token(@styd)
- !346 - Modern gem structure (@pboling)
- !351 - Support Jruby 9k (@pboling)
- !362 - Support SemVer release version scheme (@pboling)
- 
!363 - New method OAuth2::AccessToken#refresh!same as oldrefresh, with backwards compatibility alias (@pboling)
- 
!364 - Support application/hal+jsonformat (@pboling)
- 
!365 - Support application/vnd.collection+jsonformat (@pboling)
- !376 - Documentation: Example / Test for Google 2-legged JWT (@jhmoore)
- !381 - Spec for extra header params on client credentials (@nikz)
- 
!394 - Option: OAuth2::AccessToken#initialize-:expires_latency(nil); number of seconds by which AccessToken validity will be reduced to offset latency (@klippx)
- 
!412 - Support application/vdn.api+jsonformat (from jsonapi.org) (@david-christensen)
- !413 - Documentation: License scan and report (@meganemura)
- 
!442 - Option: OAuth2::Client#initialize-:logger(::Logger.new($stdout)) logger to use when OAUTH_DEBUG is enabled (for parity with1-4-stablebranch) (@rthbound)
- !494 - Support OIDC 1.0 Private Key JWT; based on the OAuth JWT assertion specification (RFC 7523) (@SteveyblamWork)
- 
!549 - Wrap Faraday::ConnectionFailedinOAuth2::ConnectionError(@nikkypx)
- !550 - Raise error if location header not present when redirecting (@stanhu)
- 
!552 - Add missing version.rbrequire (@ahorek)
- 
!553 - Support application/problem+jsonformat (@janz93)
- 
!560 - Support IETF rfc6749, section 2.3.1 - don’t set auth params when nil(@bouk)
- !571 - Support Ruby 3.1 (@pboling)
- !575 - Support IETF rfc7231, section 7.1.2 - relative location in redirect (@pboling)
- 
!581 - Documentation: of breaking changes (@pboling)
    Changed
- 
!191 - BREAKING: Token is expired if expired_attime isnow(@davestevens)
- 
!312 - BREAKING: Set :basic_authas default for:auth_schemeinstead of:request_body. This was default behavior before 1.3.0. (@tetsuya, @wy193777)
- 
!317 - Dependency: Upgrade jwtto 2.x.x (@travisofthenorth)
- 
!338 - Dependency: Switch from Rack::Utils.escapetoCGI.escape(@josephpage)
- !339, !368, !424, !479, !493, !539, !542, !553 - CI Updates, code coverage, linting, spelling, type fixes, New VERSION constant (@pboling, @josephpage, @ahorek)
- !410 - BREAKING: Removed the ability to call .error from an OAuth2::Response object (@jhmoore)
- !414 - Use Base64.strict_encode64 instead of custom internal logic (@meganemura)
- 
!469 - BREAKING: Default value for option OAuth2::Client-:authorize_urlremoved leading slash to work with relative paths by default ('oauth/authorize') (@ghost)
- 
!469 - BREAKING: Default value for option OAuth2::Client-:token_urlremoved leading slash to work with relative paths by default ('oauth/token') (@ghost)
- 
!507, !575 - BREAKING: Transform keys to snake case, always, by default (ultimately via rash_altgem)- Original keys will still work as previously, in most scenarios, thanks to rash_altgem.
- However, this is a breaking change if you rely on response.parsed.to_h, as the keys in the result will be snake case.
- As of version 2.0.4 you can turn key transformation off with the snaky: falseoption.
 
- Original keys will still work as previously, in most scenarios, thanks to 
- !576 - BREAKING: Stop rescuing parsing errors (@pboling)
- 
!591 - DEPRECATION: OAuth2::Client-:extract_access_tokenoption is deprecatedFixed
- 
!158, !344 - Handling of errors when using omniauth-facebook(@niels)
- 
!294 - Fix: “Unexpected middleware set” issue with Faraday when OAUTH_DEBUG=true(@spectator, @gafrom)
- 
!300 - Documentation: Oauth2::Error- Error codes are strings, not symbols (@NobodysNightmare)
- 
!318, !326, !343, !347, !397, !464, !561, !565 - Dependency: Support all versions of faraday(see gemfiles/README.md for compatibility matrix with Ruby engines & versions) (@pboling, @raimondasv, @zacharywelch, @Fudoshiki, @ryogift, @sj26, @jdelStrother)
- !322, !331, !337, !361, !371, !377, !383, !392, !395, !400, !401, !403, !415, !567 - Updated Rubocop, Rubocop plugins and improved code style (@pboling, @bquorning, @lautis, @spectator)
- !328 - Documentation: Homepage URL is SSL (@amatsuda)
- !339, !479 - Update testing infrastructure for all supported Rubies (@pboling and @josephpage)
- 
!366 - Security: Fix logging to $stdoutof request and response bodies via Faraday’s logger andENV["OAUTH_DEBUG"] == 'true'(@pboling)
- 
!380 - Fix: Stop attempting to encode non-encodable objects in Oauth2::Error(@jhmoore)
- 
!399 - Fix: Stop duplicating redirect_uriinget_token(@markus)
- 
!410 - Fix: SystemStackErrorcaused by circular reference between Error and Response classes (@jhmoore)
- 
!460 - Fix: Stop throwing errors when raise_errorsis set tofalse; analog of !524 for1-4-stablebranch (@joaolrpaulo)
- 
!472 - Security: Add checks to enforce client_secretis never passed in authorize_url query params forimplicitandauth_codegrant types (@dfockler)
- 
!482 - Documentation: Update last of intridealinks tooauth-xx(@pboling)
- 
!536 - Security: Compatibility with more (and recent) Ruby OpenSSL versions, Github Actions, Rubocop updated, analogous to !535 on 1-4-stablebranch (@pboling)
- 
!595 - Graceful handling of empty responses from Client#get_token, respecting:raise_errorsconfig (@stanhu)
- 
!596 - Consistency between AccessToken#refreshandClient#get_tokennamed arguments (@stanhu)
- 
!598 - Fix unparseable data not raised as error in Client#get_token, respecting:raise_errorsconfig (@stanhu)Removed
- !341 - Remove Rdoc & Jeweler related files (@josephpage)
- !342 - BREAKING: Dropped support for Ruby 1.8 (@josephpage)
- !539 - Remove reliance on globally included OAuth2 in tests, analog of !538 for 1-4-stable (@anderscarling)
- 
!566 - Dependency: Removed wwtd(@bquorning)
- !589, !593 - Remove support for expired MAC token draft spec (@stanhu)
- 
!590 - Dependency: Removed multi_json(@stanhu)
1.4.11 - 2022-09-16
- TAG: v1.4.11
- Complete migration to main branch as default (@pboling)
- Complete migration to Gitlab, updating all links, and references in VCS-managed files (@pboling)
1.4.10 - 2022-07-01
1.4.9 - 2022-02-20
- TAG: v1.4.9
- Fixes compatibility with Faraday v2 572
- Includes supported versions of Faraday in test matrix:
    - Faraday ~> 2.2.0 with Ruby >= 2.6
- Faraday ~> 1.10 with Ruby >= 2.4
- Faraday ~> 0.17.3 with Ruby >= 1.9
 
- Add Windows and MacOS to test matrix
1.4.8 - 2022-02-18
- TAG: v1.4.8
- MFA is now required to push new gem versions (@pboling)
- README overhaul w/ new Ruby Version and Engine compatibility policies (@pboling)
- !569 Backport fixes (!561 by @ryogift), and add more fixes, to allow faraday 1.x and 2.x (@jrochkind)
- Improve Code Coverage tracking (Coveralls, CodeCov, CodeClimate), and enable branch coverage (@pboling)
- Add CodeQL, Security Policy, Funding info (@pboling)
- Added Ruby 3.1, jruby, jruby-head, truffleruby, truffleruby-head to build matrix (@pboling)
- !543 - Support for more modern Open SSL libraries (@pboling)
1.4.7 - 2021-03-19
1.4.6 - 2021-03-19
- TAG: v1.4.6
- !540 - Add VERSION constant (@pboling)
- !537 - Fix crash in OAuth2::Client#get_token (@anderscarling)
- !538 - Remove reliance on globally included OAuth2 in tests, analogous to !539 on main branch (@anderscarling)
1.4.5 - 2021-03-18
- TAG: v1.4.5
- !535 - Compatibility with range of supported Ruby OpenSSL versions, Rubocop updates, Github Actions, analogous to !536 on main branch (@pboling)
- !518 - Add extract_access_token option to OAuth2::Client (@jonspalmer)
- !507 - Fix camel case content type, response keys (@anvox)
- !500 - Fix YARD documentation formatting (@olleolleolle)
1.4.4 - 2020-02-12
1.4.3 - 2020-01-29
- TAG: v1.4.3
- !483 - add project metadata to gemspec (@orien)
- 
!495 - support additional types of access token requests (@SteveyblamFreeagent, @thomcorley, @dgholz)
    - Adds support for private_key_jwt and tls_client_auth
 
- !433 - allow field names with square brackets and numbers in params (@asm256)
1.4.2 - 2019-10-01
- TAG: v1.4.2
- 
!478 - support latest version of faraday & fix build (@pboling)
    - Officially support Ruby 2.6 and truffleruby
 
1.4.1 - 2018-10-13
- TAG: v1.4.1
- !417 - update jwt dependency (@thewoolleyman)
- !419 - remove rubocop dependency (temporary, added back in !423) (@pboling)
- !418 - update faraday dependency (@pboling)
- !420 - update oauth2.gemspec (@pboling)
- !421 - fix CHANGELOG.md for previous releases (@pboling)
- !422 - update LICENSE and README.md (@pboling)
- !423 - update builds, Rakefile (@pboling)
1.4.0 - 2017-06-09
- TAG: v1.4.0
- Drop Ruby 1.8.7 support (@sferik)
- Fix some RuboCop offenses (@sferik)
- Dependency: Remove Yardstick (@sferik)
- Dependency: Upgrade Faraday to 0.12 (@sferik)
1.3.1 - 2017-03-03 (tag)
- Add support for Ruby 2.4.0 (@pschambacher)
- Dependency: Upgrade Faraday to Faraday 0.11 (@mcfiredrill, @rhymes, @pschambacher)
1.3.0 - 2016-12-28 (tag)
- Add support for header-based authentication to the Clientso it can be used across the library (@bjeanes)
- Default to header-based authentication when getting a token from an authorisation code (@maletor)
- 
Breaking: Allow an auth_scheme(:basic_author:request_body) to be set on the client, defaulting to:request_bodyto maintain backwards compatibility (@maletor, @bjeanes)
- Handle redirect_uriaccording to the OAuth 2 spec, so it is passed on redirect and at the point of token exchange (@bjeanes)
- Refactor handling of encoding of error responses (@urkle)
- Avoid instantiating an Errorif there is no error to raise (@urkle)
- Add support for Faraday 0.10 (@rhymes)
1.2.0 - 2016-07-01 (tag)
- Properly handle encoding of error responses (so we don’t blow up, for example, when Google’s response includes a ∞) (@Motoshi-Nishihira)
- Make a copy of the options hash in AccessToken#from_hashto avoid accidental mutations (@Linuus)
- Use raiserather thanfailto throw exceptions (@sferik)
1.1.0 - 2016-01-30 (tag)
- Various refactors (eliminating Hash#merge!usage inAccessToken#refresh!, useyieldinstead of#call, freezing mutable objects in constants, replacing constants with class variables) (@sferik)
- Add support for Rack 2, and bump various other dependencies (@sferik)
1.0.0 - 2014-07-09 (tag)
Added
- Add an implementation of the MAC token spec.
    Fixed
- Fix Base64.strict_encode64 incompatibility with Ruby 1.8.7.
0.5.0 - 2011-07-29 (tag)
Changed
- 
breaking oauth_tokenrenamed tooauth_bearer.
- 
breaking authorize_pathClient option renamed toauthorize_url.
- 
breaking access_token_pathClient option renamed totoken_url.
- 
breaking access_token_methodClient option renamed totoken_method.
- 
breaking web_serverrenamed toauth_code.