Changelog¶ ↑
All notable changes to this project will be documented in this file.
The format (since v2) is based on Keep a Changelog v1, and this project adheres to Semantic Versioning v2.
Unreleased¶ ↑
Added¶ ↑
Changed¶ ↑
Deprecated¶ ↑
Removed¶ ↑
Fixed¶ ↑
Security¶ ↑
2.0.12 - 2025-05-31¶ ↑
-
TAG: v2.0.12
-
Line Coverage: 100.0% (520 / 520)
-
Branch Coverage: 100.0% (174 / 174)
-
80.00% documented
Added¶ ↑
-
gh652 - Support IETF rfc7515 JSON Web Signature - JWS by @mridang
-
Support JWT
kid
for key discovery and management -
More Documentation by @pboling
-
Documented Serialization Extensions
-
Added Gatzo.com FLOSS logo by @Aboling0, CC BY-SA 4.0
-
Documentation site @ oauth2.galtzo.com now complete
Changed¶ ↑
-
Updates to gemspec (email, funding url, post install message)
Deprecated¶ ↑
Removed¶ ↑
Fixed¶ ↑
-
Documentation Typos by @pboling
Security¶ ↑
2.0.11 - 2025-05-23¶ ↑
-
TAG: v2.0.11
-
COVERAGE: 100.00% – 518/518 lines in 14 files
-
BRANCH COVERAGE: 100.00% – 172/172 branches in 14 files
-
80.00% documented
Added¶ ↑
-
gh651 -
:snaky_hash_klass
option (@pboling) -
More documentation
-
Codeberg as ethical mirror (@pboling)
-
Don’t check for cert if SKIP_GEM_SIGNING is set (@pboling)
-
All runtime deps, including oauth-xx sibling gems, are now tested against HEAD (@pboling)
-
YARD config, GFM compatible with relative file links (@pboling)
-
Documentation site on GitHub Pages (@pboling)
-
!649 - Test compatibility with all key minor versions of Hashie v0, v1, v2, v3, v4, v5, HEAD (@pboling)
-
github.com/navikt/mock-oauth2-server
Changed¶ ↑
-
gh651 - Upgraded to snaky_hash v2.0.3 (@pboling)
-
Provides solution for serialization issues
-
Updated
spec.homepage_uri
in gemspec to GitHub Pages YARD documentation site (@pboling)Fixed¶ ↑
-
gh650 - Regression in return type of
OAuth2::Response#parsed
(@pboling) -
Incorrect documentation related to silencing warnings (@pboling)
2.0.10 - 2025-05-17¶ ↑
-
TAG: v2.0.10
-
COVERAGE: 100.00% – 518/518 lines in 14 files
-
BRANCH COVERAGE: 100.00% – 170/170 branches in 14 files
-
79.05% documented
Added¶ ↑
-
gh!632 - Added
funding.yml
(@Aboling0) -
!635 - Added
.gitlab-ci.yml
(@jessieay) -
#638 - Documentation of support for ILO Fundamental Principles of Rights at Work (@pboling)
-
!642 - 20-year certificate for signing gem releases, expires 2045-04-29 (@pboling)
-
Gemspec metadata
-
funding_uri
-
news_uri
-
mailing_list_uri
-
SHA256 and SHA512 Checksums for release
-
-
!643 - Add
token_name
option (@pboling)-
Specify the parameter name that identifies the access token
-
-
!645 - Add
OAuth2::OAUTH_DEBUG
constant, based on ‘ENV (@pboling) -
!646 - Add
OAuth2.config.silence_extra_tokens_warning
, default: false (@pboling) -
!647 - Add IETF RFC 7009 Token Revocation compliant (@pboling)
-
!648 - Improved documentation (@pboling)
Changed¶ ↑
-
Default value of
OAuth2.config.silence_extra_tokens_warning
wasfalse
, nowtrue
(@pboling) -
Gem releases are now cryptographically signed, with a 20-year cert (@pboling)
-
Allow linux distros to build release without signing, as their package managers sign independently
-
!647 -
OAuth2::AccessToken#refresh
now supports block param pass through (@pboling) -
!647 -
OAuth2.config
is no longer writable (@pboling) -
!647 - Errors raised by
OAuth2::AccessToken
are now alwaysOAuth2::Error
and have better metadata (@pboling)Fixed¶ ↑
-
#95 - restoring an access token via
AccessToken#from_hash
(@pboling) -
This was a 13 year old bug report. 😘
-
#619 - Internal options (like
snaky
,raise_errors
, andparse
) are no longer included in request (@pboling) -
!633 - Spaces will now be encoded as
%20
instead of+
(@nov.matake) -
!634 - CHANGELOG.md documentation fix (@skuwa229)
-
!638 - fix
expired?
whenexpires_in
is0
(@disep) -
!639 - Only instantiate
OAuth2::Error
ifraise_errors
option istrue
(@glytch2) -
#639 -
AccessToken#to_hash
is now serializable, just a regular Hash (@pboling) -
!641 - Do not include sensitive information in the
inspect
(@manuelvanrijn) -
#641 - Made default JSON response parser more resilient (@pboling)
-
#645 - Response no longer becomes a snaky hash (@pboling)
-
gh!646 - Change
require
torequire_relative
(improve performance) (@Aboling0)
2.0.9 - 2022-09-16¶ ↑
-
TAG: v2.0.9
Added¶ ↑
-
More specs (@pboling)
Changed¶ ↑
-
Complete migration to main branch as default (@pboling)
-
Complete migration to Gitlab, updating all links, and references in VCS-managed files (@pboling)
2.0.8 - 2022-09-01¶ ↑
-
TAG: v2.0.8
Changed¶ ↑
-
!630 - Extract snaky_hash to external dependency (@pboling)
Added¶ ↑
-
!631 - New global configuration option
OAuth2.config
.silence_extra_tokens_warning (default: false) fixes #628
2.0.7 - 2022-08-22¶ ↑
-
TAG: v2.0.7
Added¶ ↑
-
!629 - Allow POST of JSON to get token (@pboling, @terracatta)
Fixed¶ ↑
-
!626 - Fixes a regression in 2.0.6. Will now prefer the key order from the lookup, not the hash keys (@rickselby)
-
Note: This fixes compatibility with
omniauth-oauth2
and AWS -
!625 - Fixes the printed version in the post install message (@hasghari)
2.0.6 - 2022-07-13¶ ↑
-
TAG: v2.0.6
Fixed¶ ↑
-
!624 - Fixes a regression in v2.0.5, where an error would be raised in refresh_token flows due to (legitimate) lack of access_token (@pboling)
2.0.5 - 2022-07-07¶ ↑
-
TAG: v2.0.5
Fixed¶ ↑
-
!620 - Documentation improvements, to help with upgrading (@swanson)
-
All data in responses is now returned, with the access token removed and set as
token
-
refresh_token
is no longer dropped -
BREAKING: Microsoft’s
id_token
is no longer left asaccess_token['id_token']
, but moved to the standardaccess_token.token
that all other strategies use
-
-
Remove
parse
andsnaky
from options so they don’t get included in response -
There is now 100% test coverage, for lines and branches, and it will stay that way.
2.0.4 - 2022-07-01¶ ↑
-
TAG: v2.0.4
Fixed¶ ↑
-
!618 - In some scenarios the
snaky
option default value was not applied (@pboling)
2.0.3 - 2022-06-28¶ ↑
-
TAG: v2.0.3
Added¶ ↑
-
!611 - Proper deprecation warnings for
extract_access_token
argument (@pboling) -
!612 - Add
snaky: false
option to skip conversion toOAuth2::SnakyHash
(default: true) (@pboling)Fixed¶ ↑
-
!608 - Wrap
Faraday::TimeoutError
inOAuth2::TimeoutError
(@nbibler) -
!615 - Fix support for requests with blocks, see
Faraday::Connection#run_request
(@pboling)
2.0.2 - 2022-06-24¶ ↑
-
TAG: v2.0.2
Fixed¶ ↑
-
!604 - Wrap
Faraday::TimeoutError
inOAuth2::TimeoutError
(@stanhu) -
!606 - Ruby 2.7 deprecation warning fix: Move
access_token_class
parameter intoClient
constructor (@stanhu) -
!607 - CHANGELOG correction, reference to
OAuth2::ConnectionError
(@zavan)
2.0.1 - 2022-06-22¶ ↑
-
TAG: v2.0.1
Added¶ ↑
-
Documentation improvements (@pboling)
-
Increased test coverage to 99% (@pboling)
2.0.0 - 2022-06-21¶ ↑
-
TAG: v2.0.0
Added¶ ↑
-
!158, !344 - Optionally pass raw response to parsers (@niels)
-
!190, !332, !334, !335, !360, !426, !427, !461 - Documentation (@josephpage, @pboling, @meganemura, @joshRpowell, @elliotcm)
-
!220 - Support IETF rfc7523 JWT Bearer Tokens Draft 04+ (@jhmoore)
-
!298 - Set the response object on the access token on Client#get_token for debugging (@cpetschnig)
-
!305 - Option:
OAuth2::Client#get_token
-:access_token_class
(AccessToken
); user specified class to use for all calls toget_token
(@styd) -
!346 - Modern gem structure (@pboling)
-
!351 - Support Jruby 9k (@pboling)
-
!362 - Support SemVer release version scheme (@pboling)
-
!363 - New method
OAuth2::AccessToken#refresh!
same as oldrefresh
, with backwards compatibility alias (@pboling) -
!364 - Support
application/hal+json
format (@pboling) -
!365 - Support
application/vnd.collection+json
format (@pboling) -
!376 - Documentation: Example / Test for Google 2-legged JWT (@jhmoore)
-
!381 - Spec for extra header params on client credentials (@nikz)
-
!394 - Option:
OAuth2::AccessToken#initialize
-:expires_latency
(nil
); number of seconds by which AccessToken validity will be reduced to offset latency (@klippx) -
!412 - Support
application/vdn.api+json
format (from jsonapi.org) (@david-christensen) -
!413 - Documentation: License scan and report (@meganemura)
-
!442 - Option:
OAuth2::Client#initialize
-:logger
(::Logger.new($stdout)
) logger to use when OAUTH_DEBUG is enabled (for parity with1-4-stable
branch) (@rthbound) -
!494 - Support OIDC 1.0 Private Key JWT; based on the OAuth JWT assertion specification (RFC 7523) (@SteveyblamWork)
-
!549 - Wrap
Faraday::ConnectionFailed
inOAuth2::ConnectionError
(@nikkypx) -
!550 - Raise error if location header not present when redirecting (@stanhu)
-
!552 - Add missing
version.rb
require (@ahorek) -
!553 - Support
application/problem+json
format (@janz93) -
!560 - Support IETF rfc6749, section 2.3.1 - don’t set auth params when
nil
(@bouk) -
!571 - Support Ruby 3.1 (@pboling)
-
!575 - Support IETF rfc7231, section 7.1.2 - relative location in redirect (@pboling)
-
!581 - Documentation: of breaking changes (@pboling)
Changed¶ ↑
-
!191 - BREAKING: Token is expired if
expired_at
time isnow
(@davestevens) -
!312 - BREAKING: Set
:basic_auth
as default for:auth_scheme
instead of:request_body
. This was default behavior before 1.3.0. (@tetsuya, @wy193777) -
!317 - Dependency: Upgrade
jwt
to 2.x.x (@travisofthenorth) -
!338 - Dependency: Switch from
Rack::Utils.escape
toCGI.escape
(@josephpage) -
!339, !368, !424, !479, !493, !539, !542, !553 - CI Updates, code coverage, linting, spelling, type fixes, New VERSION constant (@pboling, @josephpage, @ahorek)
-
!410 - BREAKING: Removed the ability to call .error from an
OAuth2::Response
object (@jhmoore) -
!414 - Use Base64.strict_encode64 instead of custom internal logic (@meganemura)
-
!469 - BREAKING: Default value for option
OAuth2::Client
-:authorize_url
removed leading slash to work with relative paths by default ('oauth/authorize'
) (@ghost) -
!469 - BREAKING: Default value for option
OAuth2::Client
-:token_url
removed leading slash to work with relative paths by default ('oauth/token'
) (@ghost) -
!507, !575 - BREAKING: Transform keys to snake case, always, by default (ultimately via
rash_alt
gem) -
Original keys will still work as previously, in most scenarios, thanks to
rash_alt
gem. -
However, this is a breaking change if you rely on
response.parsed.to_h
, as the keys in the result will be snake case. -
As of version 2.0.4 you can turn key transformation off with the
snaky: false
option. -
!576 - BREAKING: Stop rescuing parsing errors (@pboling)
-
!591 - DEPRECATION:
OAuth2::Client
-:extract_access_token
option is deprecatedFixed¶ ↑
-
!158, !344 - Handling of errors when using
omniauth-facebook
(@niels) -
!294 - Fix: “Unexpected middleware set” issue with Faraday when
OAUTH_DEBUG=true
(@spectator, @gafrom) -
!300 - Documentation:
Oauth2::Error
- Error codes are strings, not symbols (@NobodysNightmare) -
!318, !326, !343, !347, !397, !464, !561, !565 - Dependency: Support all versions of
faraday
(see gemfiles/README.md for compatibility matrix with Ruby engines & versions) (@pboling, @raimondasv, @zacharywelch, @Fudoshiki, @ryogift, @sj26, @jdelStrother) -
!322, !331, !337, !361, !371, !377, !383, !392, !395, !400, !401, !403, !415, !567 - Updated Rubocop, Rubocop plugins and improved code style (@pboling, @bquorning, @lautis, @spectator)
-
!328 - Documentation: Homepage URL is SSL (@amatsuda)
-
!339, !479 - Update testing infrastructure for all supported Rubies (@pboling and @josephpage)
-
!366 - Security: Fix logging to
$stdout
of request and response bodies via Faraday’s logger andENV["OAUTH_DEBUG"] == 'true'
(@pboling) -
!380 - Fix: Stop attempting to encode non-encodable objects in
Oauth2::Error
(@jhmoore) -
!399 - Fix: Stop duplicating
redirect_uri
inget_token
(@markus) -
!410 - Fix:
SystemStackError
caused by circular reference between Error and Response classes (@jhmoore) -
!460 - Fix: Stop throwing errors when
raise_errors
is set tofalse
; analog of !524 for1-4-stable
branch (@joaolrpaulo) -
!472 - Security: Add checks to enforce
client_secret
is never passed in authorize_url query params forimplicit
andauth_code
grant types (@dfockler) -
!482 - Documentation: Update last of
intridea
links tooauth-xx
(@pboling) -
!536 - Security: Compatibility with more (and recent) Ruby OpenSSL versions, Github Actions, Rubocop updated, analogous to !535 on
1-4-stable
branch (@pboling) -
!595 - Graceful handling of empty responses from
Client#get_token
, respecting:raise_errors
config (@stanhu) -
!596 - Consistency between
AccessToken#refresh
andClient#get_token
named arguments (@stanhu) -
!598 - Fix unparseable data not raised as error in
Client#get_token
, respecting:raise_errors
config (@stanhu)Removed¶ ↑
-
!341 - Remove Rdoc & Jeweler related files (@josephpage)
-
!342 - BREAKING: Dropped support for Ruby 1.8 (@josephpage)
-
!539 - Remove reliance on globally included
OAuth2
in tests, analog of !538 for 1-4-stable (@anderscarling) -
!566 - Dependency: Removed
wwtd
(@bquorning) -
!589, !593 - Remove support for expired MAC token draft spec (@stanhu)
-
!590 - Dependency: Removed
multi_json
(@stanhu)
1.4.11 - 2022-09-16¶ ↑
-
TAG: v1.4.11
-
Complete migration to main branch as default (@pboling)
-
Complete migration to Gitlab, updating all links, and references in VCS-managed files (@pboling)
1.4.10 - 2022-07-01¶ ↑
1.4.9 - 2022-02-20¶ ↑
-
TAG: v1.4.9
-
Fixes compatibility with Faraday v2 572
-
Includes supported versions of Faraday in test matrix:
-
Faraday ~> 2.2.0 with Ruby >= 2.6
-
Faraday ~> 1.10 with Ruby >= 2.4
-
Faraday ~> 0.17.3 with Ruby >= 1.9
-
Add Windows and MacOS to test matrix
1.4.8 - 2022-02-18¶ ↑
-
TAG: v1.4.8
-
MFA is now required to push new gem versions (@pboling)
-
README overhaul w/ new Ruby Version and Engine compatibility policies (@pboling)
-
!569 Backport fixes (!561 by @ryogift), and add more fixes, to allow faraday 1.x and 2.x (@jrochkind)
-
Improve Code Coverage tracking (Coveralls, CodeCov, CodeClimate), and enable branch coverage (@pboling)
-
Add CodeQL, Security Policy, Funding info (@pboling)
-
Added Ruby 3.1, jruby, jruby-head, truffleruby, truffleruby-head to build matrix (@pboling)
-
!543 - Support for more modern Open SSL libraries (@pboling)
1.4.7 - 2021-03-19¶ ↑
1.4.6 - 2021-03-19¶ ↑
-
TAG: v1.4.6
-
!540 - Add VERSION constant (@pboling)
-
!537 - Fix crash in
OAuth2::Client#get_token
(@anderscarling) -
!538 - Remove reliance on globally included
OAuth2
in tests, analogous to !539 on main branch (@anderscarling)
1.4.5 - 2021-03-18¶ ↑
-
TAG: v1.4.5
-
!535 - Compatibility with range of supported Ruby OpenSSL versions, Rubocop updates, Github Actions, analogous to !536 on main branch (@pboling)
-
!518 - Add extract_access_token option to
OAuth2::Client
(@jonspalmer) -
!507 - Fix camel case content type, response keys (@anvox)
-
!500 - Fix YARD documentation formatting (@olleolleolle)
1.4.4 - 2020-02-12¶ ↑
1.4.3 - 2020-01-29¶ ↑
-
TAG: v1.4.3
-
!483 - add project metadata to gemspec (@orien)
-
!495 - support additional types of access token requests (@SteveyblamFreeagent, @thomcorley, @dgholz)
-
Adds support for private_key_jwt and tls_client_auth
-
!433 - allow field names with square brackets and numbers in params (@asm256)
1.4.2 - 2019-10-01¶ ↑
-
TAG: v1.4.2
-
!478 - support latest version of faraday & fix build (@pboling)
-
Officially support Ruby 2.6 and truffleruby
1.4.1 - 2018-10-13¶ ↑
-
TAG: v1.4.1
-
!417 - update jwt dependency (@thewoolleyman)
-
!419 - remove rubocop dependency (temporary, added back in !423) (@pboling)
-
!418 - update faraday dependency (@pboling)
-
!420 - update oauth2.gemspec (@pboling)
-
!421 - fix CHANGELOG.md for previous releases (@pboling)
-
officially document supported Rubies
1.4.0 - 2017-06-09¶ ↑
-
TAG: v1.4.0
-
Drop Ruby 1.8.7 support (@sferik)
-
Fix some RuboCop offenses (@sferik)
-
Dependency: Remove Yardstick (@sferik)
-
Dependency: Upgrade Faraday to 0.12 (@sferik)
1.3.1 - 2017-03-03 (tag)¶ ↑
-
Add support for Ruby 2.4.0 (@pschambacher)
-
Dependency: Upgrade Faraday to Faraday 0.11 (@mcfiredrill, @rhymes, @pschambacher)
1.3.0 - 2016-12-28 (tag)¶ ↑
-
Add support for header-based authentication to the
Client
so it can be used across the library (@bjeanes) -
Default to header-based authentication when getting a token from an authorisation code (@maletor)
-
Breaking: Allow an
auth_scheme
(:basic_auth
or:request_body
) to be set on the client, defaulting to:request_body
to maintain backwards compatibility (@maletor, @bjeanes) -
Handle
redirect_uri
according to the OAuth 2 spec, so it is passed on redirect and at the point of token exchange (@bjeanes) -
Refactor handling of encoding of error responses (@urkle)
-
Avoid instantiating an
Error
if there is no error to raise (@urkle) -
Add support for Faraday 0.10 (@rhymes)
1.2.0 - 2016-07-01 (tag)¶ ↑
-
Properly handle encoding of error responses (so we don’t blow up, for example, when Google’s response includes a ∞) (@Motoshi-Nishihira)
-
Make a copy of the options hash in
AccessToken#from_hash
to avoid accidental mutations (@Linuus) -
Use
raise
rather thanfail
to throw exceptions (@sferik)
1.1.0 - 2016-01-30 (tag)¶ ↑
-
Various refactors (eliminating
Hash#merge!
usage inAccessToken#refresh!
, useyield
instead of call, freezing mutable objects in constants, replacing constants with class variables) (@sferik) -
Add support for Rack 2, and bump various other dependencies (@sferik)
1.0.0 - 2014-07-09 (tag)¶ ↑
Added¶ ↑
-
Add an implementation of the MAC token spec.
Fixed¶ ↑
-
Fix Base64.strict_encode64 incompatibility with Ruby 1.8.7.
0.5.0 - 2011-07-29 (tag)¶ ↑
Changed¶ ↑
-
breaking
oauth_token
renamed tooauth_bearer
. -
breaking
authorize_path
Client option renamed toauthorize_url
. -
breaking
access_token_path
Client option renamed totoken_url
. -
breaking
access_token_method
Client option renamed totoken_method
. -
breaking
web_server
renamed toauth_code
.