Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning,
and yes, platform and engine support are part of the public API.
Please file a bug if you notice a violation of semantic versioning.

Unreleased

Added

gh!683, gh!684 - Improve documentation by @pboling

Changed

gh!685 - upgrade kettle-dev v1.1.24 by pboling
upgrade kettle-dev v1.1.26 by pboling
- Add open collective donors to README

Deprecated

Removed

Fixed

Security

2.0.17 - 2025-09-15

TAG: v2.0.17
COVERAGE: 100.00% – 526/526 lines in 14 files
BRANCH COVERAGE: 100.00% – 178/178 branches in 14 files
90.48% documented

Added

gh!682 - AccessToken: support Hash-based verb-dependent token transmission mode (e.g., :query, post: :header)

2.0.16 - 2025-09-14

TAG: v2.0.16
COVERAGE: 100.00% – 520/520 lines in 14 files
BRANCH COVERAGE: 100.00% – 176/176 branches in 14 files
90.48% documented

Added

gh!680 - E2E example using mock test server added in v2.0.11 by @pboling
- mock-oauth2-server upgraded to v2.3.0
  - https://github.com/navikt/mock-oauth2-server
- docker compose -f docker-compose-ssl.yml up -d --wait
- ruby examples/e2e.rb
- docker compose -f docker-compose-ssl.yml down
- mock server readiness wait is 90s
- override via E2E_WAIT_TIMEOUT
gh!676, gh!679 - Apache SkyWalking Eyes dependency license check by @pboling

Changed

gh!678 - Many improvements to make CI more resilient (past/future proof) by @pboling
gh!681 - Upgrade to kettle-dev v1.1.19

2.0.15 - 2025-09-08

TAG: v2.0.15
COVERAGE: 100.00% – 519/519 lines in 14 files
BRANCH COVERAGE: 100.00% – 174/174 branches in 14 files
90.48% documented

Added

gh!671 - Complete documentation example for Instagram by @pboling
.env.local.example for contributor happiness
note lack of builds for JRuby 9.2, 9.3 & Truffleruby 22.3, 23.0
- actions/runner - issues/2347
- community/discussions/15452
gh!670 - AccessToken: verb-dependent token transmission mode by @mrj
- e.g., Instagram GET=:query, POST/DELETE=:header

Changed

gh!669 - Upgrade to kettle-dev v1.1.9 by @pboling

Fixed

Remove accidentally duplicated lines, and fix typos in CHANGELOG.md
point badge to the correct workflow for Ruby 2.3 (caboose.yml)

2.0.14 - 2025-08-31

TAG: v2.0.14
COVERAGE: 100.00% – 519/519 lines in 14 files
BRANCH COVERAGE: 100.00% – 174/174 branches in 14 files
90.48% documented

Added

improved documentation by @pboling
gh!665 - Document Mutual TLS (mTLS) usage with example in README (connection_opts.ssl client_cert/client_key and auth_scheme: :tls_client_auth) by @pboling
gh!666 - Document usage of flat query params using Faraday::FlatParamsEncoder, with example URI, in README by @pboling
- Spec: verify flat params are preserved with Faraday::FlatParamsEncoder (skips on Faraday without FlatParamsEncoder)
gh!662 - documentation notes in code comments and README highlighting OAuth 2.1 differences, with references, by @pboling
- PKCE required for auth code,
- exact redirect URI match,
- implicit/password grants omitted,
- avoid bearer tokens in query,
- refresh token guidance for public clients,
- simplified client definitions
gh!663 - document how to implement an OIDC client with this gem in OIDC.md by @pboling
- also, list libraries built on top of the oauth2 gem that implement OIDC
gh!664 - README: Add example for JHipster UAA (Spring Cloud) password grant, converted from Postman/Net::HTTP by @pboling

2.0.13 - 2025-08-30

TAG: v2.0.13
COVERAGE: 100.00% – 519/519 lines in 14 files
BRANCH COVERAGE: 100.00% – 174/174 branches in 14 files
90.48% documented

Added

gh!656 - Support revocation with URL-encoded parameters
gh!660 - Inline yard documentation by @pboling
gh!660 - Complete RBS types documentation by @pboling
gh!660- (more) Comprehensive documentation / examples by @pboling
gh!657 - Updated documentation for org-rename by @pboling
More funding links by @Aboling0
Documentation: Added docs/OIDC.md with OIDC 1.0 overview, example, and references

Changed

Upgrade Code of Conduct to Contributor Covenant 2.1 by @pboling
gh!660 - Shrink post-install message by 4 lines by @pboling

Fixed

gh!660 - Links in README (including link to HEAD documentation) by @pboling

Security

2.0.12 - 2025-05-31

TAG: v2.0.12
Line Coverage: 100.0% (520 / 520)
Branch Coverage: 100.0% (174 / 174)
80.00% documented

Added

gh!652 - Support IETF rfc7515 JSON Web Signature - JWS by @mridang
- Support JWT kid for key discovery and management
More Documentation by @pboling
- Documented Serialization Extensions
- Added Gatzo.com FLOSS logo by @Aboling0, CC BY-SA 4.0
Documentation site @ https://oauth2.galtzo.com now complete

Changed

Updates to gemspec (email, funding url, post install message)

Fixed

Documentation Typos by @pboling

2.0.11 - 2025-05-23

TAG: v2.0.11
COVERAGE: 100.00% – 518/518 lines in 14 files
BRANCH COVERAGE: 100.00% – 172/172 branches in 14 files
80.00% documented

Added

gh!651 - :snaky_hash_klass option (@pboling)
More documentation
Codeberg as ethical mirror (@pboling)
- https://codeberg.org/ruby-oauth/oauth2
Don’t check for cert if SKIP_GEM_SIGNING is set (@pboling)
All runtime deps, including oauth-xx sibling gems, are now tested against HEAD (@pboling)
All runtime deps, including ruby-oauth sibling gems, are now tested against HEAD (@pboling)
YARD config, GFM compatible with relative file links (@pboling)
Documentation site on GitHub Pages (@pboling)
- oauth2.galtzo.com
!649 - Test compatibility with all key minor versions of Hashie v0, v1, v2, v3, v4, v5, HEAD (@pboling)
gh!651 - Mock OAuth2 server for testing (@pboling)
- https://github.com/navikt/mock-oauth2-server

Changed

gh!651 - Upgraded to snaky_hash v2.0.3 (@pboling)
- Provides solution for serialization issues
Updated spec.homepage_uri in gemspec to GitHub Pages YARD documentation site (@pboling)

Fixed

gh!650 - Regression in return type of OAuth2::Response#parsed (@pboling)
Incorrect documentation related to silencing warnings (@pboling)

2.0.10 - 2025-05-17

TAG: v2.0.10
COVERAGE: 100.00% – 518/518 lines in 14 files
BRANCH COVERAGE: 100.00% – 170/170 branches in 14 files
79.05% documented

Added

gh!632 - Added funding.yml (@Aboling0)
!635 - Added .gitlab-ci.yml (@jessieay)
#638 - Documentation of support for ILO Fundamental Principles of Rights at Work (@pboling)
!642 - 20-year certificate for signing gem releases, expires 2045-04-29 (@pboling)
- Gemspec metadata
  - funding_uri
  - news_uri
  - mailing_list_uri
- SHA256 and SHA512 Checksums for release
!643 - Add token_name option (@pboling)
- Specify the parameter name that identifies the access token
!645 - Add OAuth2::OAUTH_DEBUG constant, based on `ENV[“OAUTH_DEBUG”] (@pboling)
!646 - Add OAuth2.config.silence_extra_tokens_warning, default: false (@pboling)
!647 - Add IETF RFC 7009 Token Revocation compliant (@pboling)
- OAuth2::Client#revoke_token
- OAuth2::AccessToken#revoke
- See: https://datatracker.ietf.org/doc/html/rfc7009
gh!644, gh!645 - Added CITATION.cff (@Aboling0)
!648 - Improved documentation (@pboling)

Changed

Default value of OAuth2.config.silence_extra_tokens_warning was false, now true (@pboling)
Gem releases are now cryptographically signed, with a 20-year cert (@pboling)
- Allow linux distros to build release without signing, as their package managers sign independently
!647 - OAuth2::AccessToken#refresh now supports block param pass through (@pboling)
!647 - OAuth2.config is no longer writable (@pboling)
!647 - Errors raised by OAuth2::AccessToken are now always OAuth2::Error and have better metadata (@pboling)

Fixed

#95 - restoring an access token via AccessToken#from_hash (@pboling)
- This was a 13 year old bug report. 😘
#619 - Internal options (like snaky, raise_errors, and parse) are no longer included in request (@pboling)
!633 - Spaces will now be encoded as %20 instead of + (@nov.matake)
!634 - CHANGELOG.md documentation fix (@skuwa229)
!638 - fix expired? when expires_in is 0 (@disep)
!639 - Only instantiate OAuth2::Error if raise_errors option is true (@glytch2)
#639 - AccessToken#to_hash is now serializable, just a regular Hash (@pboling)
!640 - README.md documentation fix (@martinezcoder)
!641 - Do not include sensitive information in the inspect (@manuelvanrijn)
#641 - Made default JSON response parser more resilient (@pboling)
#645 - Response no longer becomes a snaky hash (@pboling)
gh!646 - Change require to require_relative (improve performance) (@Aboling0)

2.0.9 - 2022-09-16

TAG: v2.0.9

Added

More specs (@pboling)

Changed

Complete migration to main branch as default (@pboling)
Complete migration to Gitlab, updating all links, and references in VCS-managed files (@pboling)

2.0.8 - 2022-09-01

TAG: v2.0.8

Changed

!630 - Extract snaky_hash to external dependency (@pboling)

Added

!631 - New global configuration option OAuth2.config.silence_extra_tokens_warning (default: false) fixes #628

2.0.7 - 2022-08-22

TAG: v2.0.7

Added

!629 - Allow POST of JSON to get token (@pboling, @terracatta)

Fixed

!626 - Fixes a regression in 2.0.6. Will now prefer the key order from the lookup, not the hash keys (@rickselby)
- Note: This fixes compatibility with omniauth-oauth2 and AWS
!625 - Fixes the printed version in the post install message (@hasghari)

2.0.6 - 2022-07-13

TAG: v2.0.6

Fixed

!624 - Fixes a regression in v2.0.5, where an error would be raised in refresh_token flows due to (legitimate) lack of access_token (@pboling)

2.0.5 - 2022-07-07

TAG: v2.0.5

Fixed

!620 - Documentation improvements, to help with upgrading (@swanson)
!621 - Fixed #528 and #619 (@pboling)
- All data in responses is now returned, with the access token removed and set as token
  - refresh_token is no longer dropped
  - BREAKING: Microsoft’s id_token is no longer left as access_token['id_token'], but moved to the standard access_token.token that all other strategies use
- Remove parse and snaky from options so they don’t get included in response
- There is now 100% test coverage, for lines and branches, and it will stay that way.

2.0.4 - 2022-07-01

TAG: v2.0.4

Fixed

!618 - In some scenarios the snaky option default value was not applied (@pboling)

2.0.3 - 2022-06-28

TAG: v2.0.3

Added

!611 - Proper deprecation warnings for extract_access_token argument (@pboling)
!612 - Add snaky: false option to skip conversion to OAuth2::SnakyHash (default: true) (@pboling)

Fixed

!608 - Wrap Faraday::TimeoutError in OAuth2::TimeoutError (@nbibler)
!615 - Fix support for requests with blocks, see Faraday::Connection#run_request (@pboling)

2.0.2 - 2022-06-24

TAG: v2.0.2

Fixed

!604 - Wrap Faraday::TimeoutError in OAuth2::TimeoutError (@stanhu)
!606 - Ruby 2.7 deprecation warning fix: Move access_token_class parameter into Client constructor (@stanhu)
!607 - CHANGELOG correction, reference to OAuth2::ConnectionError (@zavan)

2.0.1 - 2022-06-22

TAG: v2.0.1

Added

Documentation improvements (@pboling)
Increased test coverage to 99% (@pboling)

2.0.0 - 2022-06-21

TAG: v2.0.0

Added

!158, !344 - Optionally pass raw response to parsers (@niels)
!190, !332, !334, !335, !360, !426, !427, !461 - Documentation (@josephpage, @pboling, @meganemura, @joshRpowell, @elliotcm)
!220 - Support IETF rfc7523 JWT Bearer Tokens Draft 04+ (@jhmoore)
!298 - Set the response object on the access token on Client#get_token for debugging (@cpetschnig)
!305 - Option: OAuth2::Client#get_token - :access_token_class (AccessToken); user specified class to use for all calls to get_token (@styd)
!346 - Modern gem structure (@pboling)
!351 - Support Jruby 9k (@pboling)
!362 - Support SemVer release version scheme (@pboling)
!363 - New method OAuth2::AccessToken#refresh! same as old refresh, with backwards compatibility alias (@pboling)
!364 - Support application/hal+json format (@pboling)
!365 - Support application/vnd.collection+json format (@pboling)
!376 - Documentation: Example / Test for Google 2-legged JWT (@jhmoore)
!381 - Spec for extra header params on client credentials (@nikz)
!394 - Option: OAuth2::AccessToken#initialize - :expires_latency (nil); number of seconds by which AccessToken validity will be reduced to offset latency (@klippx)
!412 - Support application/vdn.api+json format (from jsonapi.org) (@david-christensen)
!413 - Documentation: License scan and report (@meganemura)
!442 - Option: OAuth2::Client#initialize - :logger (::Logger.new($stdout)) logger to use when OAUTH_DEBUG is enabled (for parity with 1-4-stable branch) (@rthbound)
!494 - Support OIDC 1.0 Private Key JWT; based on the OAuth JWT assertion specification (RFC 7523) (@SteveyblamWork)
!549 - Wrap Faraday::ConnectionFailed in OAuth2::ConnectionError (@nikkypx)
!550 - Raise error if location header not present when redirecting (@stanhu)
!552 - Add missing version.rb require (@ahorek)
!553 - Support application/problem+json format (@janz93)
!560 - Support IETF rfc6749, section 2.3.1 - don’t set auth params when nil (@bouk)
!571 - Support Ruby 3.1 (@pboling)
!575 - Support IETF rfc7231, section 7.1.2 - relative location in redirect (@pboling)
!581 - Documentation: of breaking changes (@pboling)

Changed

!191 - BREAKING: Token is expired if expired_at time is now (@davestevens)
!312 - BREAKING: Set :basic_auth as default for :auth_scheme instead of :request_body. This was default behavior before 1.3.0. (@tetsuya, @wy193777)
!317 - Dependency: Upgrade jwt to 2.x.x (@travisofthenorth)
!338 - Dependency: Switch from Rack::Utils.escape to CGI.escape (@josephpage)
!339, !368, !424, !479, !493, !539, !542, !553 - CI Updates, code coverage, linting, spelling, type fixes, New VERSION constant (@pboling, @josephpage, @ahorek)
!410 - BREAKING: Removed the ability to call .error from an OAuth2::Response object (@jhmoore)
!414 - Use Base64.strict_encode64 instead of custom internal logic (@meganemura)
!469 - BREAKING: Default value for option OAuth2::Client - :authorize_url removed leading slash to work with relative paths by default ('oauth/authorize') (@ghost)
!469 - BREAKING: Default value for option OAuth2::Client - :token_url removed leading slash to work with relative paths by default ('oauth/token') (@ghost)
!507, !575 - BREAKING: Transform keys to snake case, always, by default (ultimately via rash_alt gem)
- Original keys will still work as previously, in most scenarios, thanks to rash_alt gem.
- However, this is a breaking change if you rely on response.parsed.to_h, as the keys in the result will be snake case.
- As of version 2.0.4 you can turn key transformation off with the snaky: false option.
!576 - BREAKING: Stop rescuing parsing errors (@pboling)
!591 - DEPRECATION: OAuth2::Client - :extract_access_token option is deprecated

Fixed

!158, !344 - Handling of errors when using omniauth-facebook (@niels)
!294 - Fix: “Unexpected middleware set” issue with Faraday when OAUTH_DEBUG=true (@spectator, @gafrom)
!300 - Documentation: Oauth2::Error - Error codes are strings, not symbols (@NobodysNightmare)
!318, !326, !343, !347, !397, !464, !561, !565 - Dependency: Support all versions of faraday (see gemfiles/README.md for compatibility matrix with Ruby engines & versions) (@pboling, @raimondasv, @zacharywelch, @Fudoshiki, @ryogift, @sj26, @jdelStrother)
!322, !331, !337, !361, !371, !377, !383, !392, !395, !400, !401, !403, !415, !567 - Updated Rubocop, Rubocop plugins and improved code style (@pboling, @bquorning, @lautis, @spectator)
!328 - Documentation: Homepage URL is SSL (@amatsuda)
!339, !479 - Update testing infrastructure for all supported Rubies (@pboling and @josephpage)
!366 - Security: Fix logging to $stdout of request and response bodies via Faraday’s logger and ENV["OAUTH_DEBUG"] == 'true' (@pboling)
!380 - Fix: Stop attempting to encode non-encodable objects in Oauth2::Error (@jhmoore)
!399 - Fix: Stop duplicating redirect_uri in get_token (@markus)
!410 - Fix: SystemStackError caused by circular reference between Error and Response classes (@jhmoore)
!460 - Fix: Stop throwing errors when raise_errors is set to false; analog of !524 for 1-4-stable branch (@joaolrpaulo)
!472 - Security: Add checks to enforce client_secret is never passed in authorize_url query params for implicit and auth_code grant types (@dfockler)
!482 - Documentation: Update last of intridea links to ruby-oauth (@pboling)
!536 - Security: Compatibility with more (and recent) Ruby OpenSSL versions, Github Actions, Rubocop updated, analogous to !535 on 1-4-stable branch (@pboling)
!595 - Graceful handling of empty responses from Client#get_token, respecting :raise_errors config (@stanhu)
!596 - Consistency between AccessToken#refresh and Client#get_token named arguments (@stanhu)
!598 - Fix unparseable data not raised as error in Client#get_token, respecting :raise_errors config (@stanhu)

Removed

!341 - Remove Rdoc & Jeweler related files (@josephpage)
!342 - BREAKING: Dropped support for Ruby 1.8 (@josephpage)
!539 - Remove reliance on globally included OAuth2 in tests, analog of !538 for 1-4-stable (@anderscarling)
!566 - Dependency: Removed wwtd (@bquorning)
!589, !593 - Remove support for expired MAC token draft spec (@stanhu)
!590 - Dependency: Removed multi_json (@stanhu)

1.4.11 - 2022-09-16

TAG: v1.4.11
Complete migration to main branch as default (@pboling)
Complete migration to Gitlab, updating all links, and references in VCS-managed files (@pboling)

1.4.10 - 2022-07-01

TAG: v1.4.10
FIPS Compatibility !587 (@akostadinov)

1.4.9 - 2022-02-20

TAG: v1.4.9
Fixes compatibility with Faraday v2 572
Includes supported versions of Faraday in test matrix:
- Faraday ~> 2.2.0 with Ruby >= 2.6
- Faraday ~> 1.10 with Ruby >= 2.4
- Faraday ~> 0.17.3 with Ruby >= 1.9
Add Windows and MacOS to test matrix

1.4.8 - 2022-02-18

TAG: v1.4.8
MFA is now required to push new gem versions (@pboling)
README overhaul w/ new Ruby Version and Engine compatibility policies (@pboling)
!569 Backport fixes (!561 by @ryogift), and add more fixes, to allow faraday 1.x and 2.x (@jrochkind)
Improve Code Coverage tracking (Coveralls, CodeCov, CodeClimate), and enable branch coverage (@pboling)
Add CodeQL, Security Policy, Funding info (@pboling)
Added Ruby 3.1, jruby, jruby-head, truffleruby, truffleruby-head to build matrix (@pboling)
!543 - Support for more modern Open SSL libraries (@pboling)

1.4.7 - 2021-03-19

TAG: v1.4.7
!541 - Backport fix to expires_at handling !533 to 1-4-stable branch. (@dobon)

1.4.6 - 2021-03-19

TAG: v1.4.6
!540 - Add VERSION constant (@pboling)
!537 - Fix crash in OAuth2::Client#get_token (@anderscarling)
!538 - Remove reliance on globally included OAuth2 in tests, analogous to !539 on main branch (@anderscarling)

1.4.5 - 2021-03-18

TAG: v1.4.5
!535 - Compatibility with range of supported Ruby OpenSSL versions, Rubocop updates, Github Actions, analogous to !536 on main branch (@pboling)
!518 - Add extract_access_token option to OAuth2::Client (@jonspalmer)
!507 - Fix camel case content type, response keys (@anvox)
!500 - Fix YARD documentation formatting (@olleolleolle)

1.4.4 - 2020-02-12

TAG: v1.4.4
!408 - Fixed expires_at for formatted time (@Lomey)

1.4.3 - 2020-01-29

TAG: v1.4.3
!483 - add project metadata to gemspec (@orien)
!495 - support additional types of access token requests (@SteveyblamFreeagent, @thomcorley, @dgholz)
- Adds support for private_key_jwt and tls_client_auth
!433 - allow field names with square brackets and numbers in params (@asm256)

1.4.2 - 2019-10-01

TAG: v1.4.2
!478 - support latest version of faraday & fix build (@pboling)
- Officially support Ruby 2.6 and truffleruby

1.4.1 - 2018-10-13

TAG: v1.4.1
!417 - update jwt dependency (@thewoolleyman)
!419 - remove rubocop dependency (temporary, added back in !423) (@pboling)
!418 - update faraday dependency (@pboling)
!420 - update oauth2.gemspec (@pboling)
!421 - fix CHANGELOG.md for previous releases (@pboling)
!422 - update LICENSE and README.md (@pboling)
!423 - update builds, Rakefile (@pboling)
- officially document supported Rubies
  - Ruby 1.9.3
  - Ruby 2.0.0
  - Ruby 2.1
  - Ruby 2.2
  - JRuby 1.7 (targets MRI v1.9)
  - JRuby 9.0 (targets MRI v2.0)
  - Ruby 2.3
  - Ruby 2.4
  - Ruby 2.5
  - JRuby 9.1 (targets MRI v2.3)
  - JRuby 9.2 (targets MRI v2.5)

1.4.0 - 2017-06-09

TAG: v1.4.0
Drop Ruby 1.8.7 support (@sferik)
Fix some RuboCop offenses (@sferik)
Dependency: Remove Yardstick (@sferik)
Dependency: Upgrade Faraday to 0.12 (@sferik)

1.3.1 - 2017-03-03

TAG: v1.3.1
Add support for Ruby 2.4.0 (@pschambacher)
Dependency: Upgrade Faraday to Faraday 0.11 (@mcfiredrill, @rhymes, @pschambacher)

1.3.0 - 2016-12-28

TAG: v1.3.0
Add support for header-based authentication to the Client so it can be used across the library (@bjeanes)
Default to header-based authentication when getting a token from an authorisation code (@maletor)
Breaking: Allow an auth_scheme (:basic_auth or :request_body) to be set on the client, defaulting to :request_body to maintain backwards compatibility (@maletor, @bjeanes)
Handle redirect_uri according to the OAuth 2 spec, so it is passed on redirect and at the point of token exchange (@bjeanes)
Refactor handling of encoding of error responses (@urkle)
Avoid instantiating an Error if there is no error to raise (@urkle)
Add support for Faraday 0.10 (@rhymes)

1.2.0 - 2016-07-01

TAG: v1.2.0
Properly handle encoding of error responses (so we don’t blow up, for example, when Google’s response includes a ∞) (@Motoshi-Nishihira)
Make a copy of the options hash in AccessToken#from_hash to avoid accidental mutations (@Linuus)
Use raise rather than fail to throw exceptions (@sferik)

1.1.0 - 2016-01-30

TAG: v1.1.0
Various refactors (eliminating Hash#merge! usage in AccessToken#refresh!, use yield instead of #call, freezing mutable objects in constants, replacing constants with class variables) (@sferik)
Add support for Rack 2, and bump various other dependencies (@sferik)