oauth2 1.1.0 → 1.4.3

data/README.md

@@ -1,30 +1,72 @@
 # OAuth2
 
+If you need the readme for a released version of the gem please find it below:
+
+| Version  | Release Date | Readme                                                   |
+|----------|--------------|----------------------------------------------------------|
+| 1.4.3    | Jan 29, 2020 | https://github.com/oauth-xx/oauth2/blob/v1.4.3/README.md |
+| 1.4.2    | Oct 1, 2019  | https://github.com/oauth-xx/oauth2/blob/v1.4.2/README.md |
+| 1.4.1    | Oct 13, 2018 | https://github.com/oauth-xx/oauth2/blob/v1.4.1/README.md |
+| 1.4.0    | Jun 9, 2017  | https://github.com/oauth-xx/oauth2/blob/v1.4.0/README.md |
+| 1.3.1    | Mar 3, 2017  | https://github.com/oauth-xx/oauth2/blob/v1.3.1/README.md |
+| 1.3.0    | Dec 27, 2016 | https://github.com/oauth-xx/oauth2/blob/v1.3.0/README.md |
+| 1.2.0    | Jun 30, 2016 | https://github.com/oauth-xx/oauth2/blob/v1.2.0/README.md |
+| 1.1.0    | Jan 30, 2016 | https://github.com/oauth-xx/oauth2/blob/v1.1.0/README.md |
+| 1.0.0    | May 23, 2014 | https://github.com/oauth-xx/oauth2/blob/v1.0.0/README.md |
+| < 1.0.0  | Find here    | https://github.com/oauth-xx/oauth2/tags                  |
+
 [![Gem Version](http://img.shields.io/gem/v/oauth2.svg)][gem]
-[![Build Status](http://img.shields.io/travis/intridea/oauth2.svg)][travis]
-[![Dependency Status](http://img.shields.io/gemnasium/intridea/oauth2.svg)][gemnasium]
-[![Code Climate](http://img.shields.io/codeclimate/github/intridea/oauth2.svg)][codeclimate]
-[![Coverage Status](http://img.shields.io/coveralls/intridea/oauth2.svg)][coveralls]
+[![Total Downloads](https://img.shields.io/gem/dt/oauth2.svg)][gem]
+[![Downloads Today](https://img.shields.io/gem/rt/oauth2.svg)][gem]
+[![Build Status](https://travis-ci.org/oauth-xx/oauth2.svg?branch=1-4-stable)][travis]
+[![Test Coverage](https://api.codeclimate.com/v1/badges/688c612528ff90a46955/test_coverage)][codeclimate-coverage]
+[![Maintainability](https://api.codeclimate.com/v1/badges/688c612528ff90a46955/maintainability)][codeclimate-maintainability]
+[![Depfu](https://badges.depfu.com/badges/6d34dc1ba682bbdf9ae2a97848241743/count.svg)][depfu]
+[![Open Source Helpers](https://www.codetriage.com/oauth-xx/oauth2/badges/users.svg)][code-triage]
+[![Chat](https://img.shields.io/gitter/room/oauth-xx/oauth2.svg)](https://gitter.im/oauth-xx/oauth2)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)][source-license]
+[![Documentation](http://inch-ci.org/github/oauth-xx/oauth2.png)][inch-ci]
 
 [gem]: https://rubygems.org/gems/oauth2
-[travis]: http://travis-ci.org/intridea/oauth2
-[gemnasium]: https://gemnasium.com/intridea/oauth2
-[codeclimate]: https://codeclimate.com/github/intridea/oauth2
-[coveralls]: https://coveralls.io/r/intridea/oauth2
+[travis]: http://travis-ci.org/oauth-xx/oauth2
+[coveralls]: https://coveralls.io/r/oauth-xx/oauth2
+[codeclimate-maintainability]: https://codeclimate.com/github/oauth-xx/oauth2/maintainability
+[codeclimate-coverage]: https://codeclimate.com/github/oauth-xx/oauth2/test_coverage
+[depfu]: https://depfu.com/github/oauth-xx/oauth2
+[source-license]: https://opensource.org/licenses/MIT
+[inch-ci]: http://inch-ci.org/github/oauth-xx/oauth2
+[code-triage]: https://www.codetriage.com/oauth-xx/oauth2
+[fossa1]: https://app.fossa.io/projects/git%2Bgithub.com%2Foauth-xx%2Foauth2?ref=badge_shield
+
+A Ruby wrapper for the [OAuth 2.0 specification][oauth2-spec].
 
-A Ruby wrapper for the OAuth 2.0 specification.
+[oauth2-spec]: https://oauth.net/2/
 
 ## Installation
-    gem install oauth2
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'oauth2'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install oauth2
 
 ## Resources
+
 * [View Source on GitHub][code]
 * [Report Issues on GitHub][issues]
 * [Read More at the Wiki][wiki]
 
-[code]: https://github.com/intridea/oauth2
-[issues]: https://github.com/intridea/oauth2/issues
-[wiki]: https://wiki.github.com/intridea/oauth2
+[code]: https://github.com/oauth-xx/oauth2
+[issues]: https://github.com/oauth-xx/oauth2/issues
+[wiki]: https://wiki.github.com/oauth-xx/oauth2
 
 ## Usage Examples
 
@@ -41,6 +83,7 @@ response.class.name
 # => OAuth2::Response
 ```
 ## OAuth2::Response
+
 The AccessToken methods #get, #post, #put and #delete and the generic #request
 will return an instance of the #OAuth2::Response class.
 
@@ -53,12 +96,14 @@ The original response body, headers, and status can be accessed via their
 respective methods.
 
 ## OAuth2::AccessToken
+
 If you have an existing Access Token for a user, you can initialize an instance
 using various class methods including the standard new, from_hash (if you have
 a hash of the values), or from_kvform (if you have an
 application/x-www-form-urlencoded encoded string of the values).
 
 ## OAuth2::Error
+
 On 400+ status code responses, an OAuth2::Error will be raised.  If it is a
 standard OAuth2 error response, the body will be parsed and #code and #description will contain the values provided from the error and
 error_description parameters.  The #response property of OAuth2::Error will
@@ -70,6 +115,7 @@ instance will be returned as usual and on 400+ status code responses, the
 Response instance will contain the OAuth2::Error instance.
 
 ## Authorization Grants
+
 Currently the Authorization Code, Implicit, Resource Owner Password Credentials, Client Credentials, and Assertion
 authentication grant types have helper strategy classes that simplify client
 use.  They are available via the #auth_code, #implicit, #password, #client_credentials, and #assertion methods respectively.
@@ -100,18 +146,38 @@ You can always use the #request method on the OAuth2::Client instance to make
 requests for tokens for any Authentication grant type.
 
 ## Supported Ruby Versions
+
 This library aims to support and is [tested against][travis] the following Ruby
 implementations:
 
-* Ruby 1.8.7
+### Rubies with support ending at Oauth2 1.x
+
 * Ruby 1.9.3
+  - [JRuby 1.7][jruby-1.7] (targets MRI v1.9)
+
 * Ruby 2.0.0
-* Ruby 2.1.0
-* [JRuby][]
-* [Rubinius][]
+  - [JRuby 9.0][jruby-9.0] (targets MRI v2.0)
+* Ruby 2.1
+
+---
+
+### Rubies with continued support past Oauth2 2.x
 
-[jruby]: http://jruby.org/
-[rubinius]: http://rubini.us/
+* Ruby 2.2 - Support ends with version 2.x series
+* Ruby 2.3 - Support ends with version 3.x series
+  - [JRuby 9.1][jruby-9.1] (targets MRI v2.3) 
+* Ruby 2.4 - Support ends with version 4.x series
+* Ruby 2.5 - Support ends with version 5.x series
+  - [JRuby 9.2][jruby-9.2] (targets MRI v2.5)
+  - [truffleruby][truffleruby] (targets MRI 2.5)
+* Ruby 2.6 - Support ends with version 6.x series
+* Ruby 2.7 - Support ends with version 7.x series
+
+[jruby-1.7]: https://www.jruby.org/2017/05/11/jruby-1-7-27.html
+[jruby-9.0]: https://www.jruby.org/2016/01/26/jruby-9-0-5-0.html
+[jruby-9.1]: https://www.jruby.org/2017/05/16/jruby-9-1-9-0.html
+[jruby-9.2]: https://www.jruby.org/2018/05/24/jruby-9-2-0-0.html
+[truffleruby]: https://github.com/oracle/truffleruby
 
 If something doesn't work on one of these interpreters, it's a bug.
 
@@ -126,8 +192,51 @@ implementation, you will be responsible for providing patches in a timely
 fashion. If critical issues for a particular implementation exist at the time
 of a major release, support for that Ruby version may be dropped.
 
+## Versioning
+
+This library aims to adhere to [Semantic Versioning 2.0.0][semver].
+Violations of this scheme should be reported as bugs. Specifically,
+if a minor or patch version is released that breaks backward
+compatibility, a new version should be immediately released that
+restores compatibility. Breaking changes to the public API will
+only be introduced with new major versions.
+
+As a result of this policy, you can (and should) specify a
+dependency on this gem using the [Pessimistic Version Constraint][pvc] with two digits of precision.
+
+For example:
+
+```ruby
+spec.add_dependency 'oauth2', '~> 1.4'
+```
+
+[semver]: http://semver.org/
+[pvc]: http://guides.rubygems.org/patterns/#pessimistic-version-constraint
+
 ## License
-Copyright (c) 2011-2013 Michael Bleigh and Intridea, Inc. See [LICENSE][] for
-details.
 
-[license]: LICENSE.md
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)][source-license]
+
+- Copyright (c) 2011-2013 Michael Bleigh and Intridea, Inc.
+- Copyright (c) 2017-2018 [oauth-xx organization][oauth-xx]
+- See [LICENSE][license] for details.
+
+[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Foauth-xx%2Foauth2.svg?type=large)][fossa2]
+
+[license]: LICENSE
+[oauth-xx]: https://github.com/oauth-xx
+[fossa2]: https://app.fossa.io/projects/git%2Bgithub.com%2Foauth-xx%2Foauth2?ref=badge_large
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/oauth-xx/oauth2. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## Code of Conduct
+
+Everyone interacting in the OAuth2 project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/oauth-xx/oauth2/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,45 @@
+# encoding: utf-8
+
+# !/usr/bin/env rake
+
+require 'bundler/gem_tasks'
+
+begin
+  require 'wwtd/tasks'
+rescue LoadError
+  puts 'failed to load wwtd'
+end
+
+begin
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(:spec)
+rescue LoadError
+  task :spec do
+    warn 'rspec is disabled'
+  end
+end
+task :test => :spec
+
+begin
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new do |task|
+    task.options = ['-D'] # Display the name of the failing cops
+  end
+rescue LoadError
+  task :rubocop do
+    warn 'RuboCop is disabled'
+  end
+end
+
+namespace :doc do
+  require 'rdoc/task'
+  require File.expand_path('../lib/oauth2/version', __FILE__)
+  RDoc::Task.new do |rdoc|
+    rdoc.rdoc_dir = 'rdoc'
+    rdoc.title = "oauth2 #{OAuth2::Version}"
+    rdoc.main = 'README.md'
+    rdoc.rdoc_files.include('README.md', 'LICENSE.md', 'lib/**/*.rb')
+  end
+end
+
+task :default => [:test, :rubocop]

data/gemfiles/jruby_1.7.gemfile

@@ -0,0 +1,11 @@
+source 'https://rubygems.org'
+
+gem 'faraday', '~> 0.15.4'
+
+gem 'json', '< 2.0'
+gem 'rack', '~> 1.2'
+gem 'rake', [">= 10.0", "< 12"]
+gem 'term-ansicolor', '< 1.4.0'
+gem 'tins', '< 1.7'
+
+gemspec :path => '../'

data/gemfiles/jruby_9.0.gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+gem 'faraday', '~> 0.15.4'
+
+gem 'rake', [">= 10.0", "< 12"]
+
+gemspec :path => '../'

data/gemfiles/jruby_9.1.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/gemfiles/jruby_9.2.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/gemfiles/jruby_head.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/gemfiles/ruby_1.9.gemfile

@@ -0,0 +1,11 @@
+source 'https://rubygems.org'
+
+gem 'faraday', '~> 0.15.4'
+
+gem 'json', '< 2.0'
+gem 'rack', '~> 1.2'
+gem 'rake', [">= 10.0", "< 12"]
+gem 'term-ansicolor', '< 1.4.0'
+gem 'tins', '< 1.7'
+
+gemspec :path => '../'

data/gemfiles/ruby_2.0.gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+gem 'faraday', '~> 0.15.4'
+gem 'rack', '~> 1.2'
+
+gemspec :path => '../'

data/gemfiles/ruby_2.1.gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+gem 'faraday', '~> 0.15.4'
+gem 'rack', '~> 1.2'
+
+gemspec :path => '../'

data/gemfiles/ruby_2.2.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/gemfiles/ruby_2.3.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/gemfiles/ruby_2.4.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/gemfiles/ruby_2.5.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/gemfiles/ruby_2.6.gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+group :development do
+  gem 'pry'
+  gem 'byebug'
+  gem 'pry-byebug'
+end
+
+gemspec :path => '../'

data/gemfiles/ruby_2.7.gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+group :development do
+  gem 'pry'
+  gem 'byebug'
+  gem 'pry-byebug'
+end
+
+gemspec :path => '../'

data/gemfiles/ruby_head.gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+group :development do
+  gem 'pry'
+  gem 'byebug'
+  gem 'pry-byebug'
+end
+
+gemspec :path => '../'

data/gemfiles/truffleruby.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/lib/oauth2/access_token.rb

@@ -10,6 +10,7 @@ module OAuth2
       # @param [Hash] a hash of AccessToken property values
       # @return [AccessToken] the initalized AccessToken
       def from_hash(client, hash)
+        hash = hash.dup
         new(client, hash.delete('access_token') || hash.delete(:access_token), hash)
       end
 
@@ -39,6 +40,7 @@ module OAuth2
     def initialize(client, token, opts = {}) # rubocop:disable Metrics/AbcSize
       @client = client
       @token = token.to_s
+      opts = opts.dup
       [:refresh_token, :expires_in, :expires_at].each do |arg|
         instance_variable_set("@#{arg}", opts.delete(arg) || opts.delete(arg.to_s))
       end
@@ -78,9 +80,7 @@ module OAuth2
     # @return [AccessToken] a new AccessToken
     # @note options should be carried over to the new AccessToken
     def refresh!(params = {})
-      fail('A refresh_token is not available') unless refresh_token
-      params[:client_id] = @client.id
-      params[:client_secret] = @client.secret
+      raise('A refresh_token is not available') unless refresh_token
       params[:grant_type] = 'refresh_token'
       params[:refresh_token] = refresh_token
       new_token = @client.get_token(params)
@@ -103,7 +103,7 @@ module OAuth2
     # @param [Hash] opts the options to make the request with
     # @see Client#request
     def request(verb, path, opts = {}, &block)
-      self.token = opts
+      configure_authentication!(opts)
       @client.request(verb, path, opts, &block)
     end
 
@@ -149,7 +149,7 @@ module OAuth2
 
   private
 
-    def token=(opts) # rubocop:disable MethodLength, Metrics/AbcSize
+    def configure_authentication!(opts) # rubocop:disable MethodLength, Metrics/AbcSize
       case options[:mode]
       when :header
         opts[:headers] ||= {}
@@ -166,7 +166,7 @@ module OAuth2
         end
         # @todo support for multi-part (file uploads)
       else
-        fail("invalid :mode option of #{options[:mode]}")
+        raise("invalid :mode option of #{options[:mode]}")
       end
     end
   end

data/lib/oauth2/authenticator.rb

@@ -0,0 +1,68 @@
+require 'base64'
+
+module OAuth2
+  class Authenticator
+    attr_reader :mode, :id, :secret
+
+    def initialize(id, secret, mode)
+      @id = id
+      @secret = secret
+      @mode = mode
+    end
+
+    # Apply the request credentials used to authenticate to the Authorization Server
+    #
+    # Depending on configuration, this might be as request params or as an
+    # Authorization header.
+    #
+    # User-provided params and header take precedence.
+    #
+    # @param [Hash] params a Hash of params for the token endpoint
+    # @return [Hash] params amended with appropriate authentication details
+    def apply(params)
+      case mode.to_sym
+      when :basic_auth
+        apply_basic_auth(params)
+      when :request_body
+        apply_params_auth(params)
+      when :tls_client_auth
+        apply_client_id(params)
+      when :private_key_jwt
+        params
+      else
+        raise NotImplementedError
+      end
+    end
+
+    def self.encode_basic_auth(user, password)
+      'Basic ' + Base64.encode64(user + ':' + password).delete("\n")
+    end
+
+  private
+
+    # Adds client_id and client_secret request parameters if they are not
+    # already set.
+    def apply_params_auth(params)
+      {'client_id' => id, 'client_secret' => secret}.merge(params)
+    end
+
+    # When using schemes that don't require the client_secret to be passed i.e TLS Client Auth,
+    # we don't want to send the secret
+    def apply_client_id(params)
+      { 'client_id' => id }.merge(params)
+    end
+
+    # Adds an `Authorization` header with Basic Auth credentials if and only if
+    # it is not already set in the params.
+    def apply_basic_auth(params)
+      headers = params.fetch(:headers, {})
+      headers = basic_auth_header.merge(headers)
+      params.merge(:headers => headers)
+    end
+
+    # @see https://tools.ietf.org/html/rfc2617#section-2
+    def basic_auth_header
+      {'Authorization' => self.class.encode_basic_auth(id, secret)}
+    end
+  end
+end

data/lib/oauth2/client.rb

@@ -3,7 +3,7 @@ require 'logger'
 
 module OAuth2
   # The OAuth2::Client class
-  class Client
+  class Client # rubocop:disable Metrics/ClassLength
     attr_reader :id, :secret, :site
     attr_accessor :options
     attr_writer :connection
@@ -16,9 +16,11 @@ module OAuth2
     # @param [String] client_secret the client_secret value
     # @param [Hash] opts the options to create the client with
     # @option opts [String] :site the OAuth2 provider site host
+    # @option opts [String] :redirect_uri the absolute URI to the Redirection Endpoint for use in authorization grants and token exchange
     # @option opts [String] :authorize_url ('/oauth/authorize') absolute or relative URL path to the Authorization endpoint
     # @option opts [String] :token_url ('/oauth/token') absolute or relative URL path to the Token endpoint
     # @option opts [Symbol] :token_method (:post) HTTP method to use to request token (:get or :post)
+    # @option opts [Symbol] :auth_scheme (:basic_auth) HTTP method to use to authorize request (:basic_auth or :request_body)
     # @option opts [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday with
     # @option opts [FixNum] :max_redirects (5) maximum number of redirects to follow
     # @option opts [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error
@@ -33,6 +35,7 @@ module OAuth2
       @options = {:authorize_url    => '/oauth/authorize',
                   :token_url        => '/oauth/token',
                   :token_method     => :post,
+                  :auth_scheme      => :request_body,
                   :connection_opts  => {},
                   :connection_build => block,
                   :max_redirects    => 5,
@@ -52,9 +55,11 @@ module OAuth2
     def connection
       @connection ||= begin
         conn = Faraday.new(site, options[:connection_opts])
-        conn.build do |b|
-          options[:connection_build].call(b)
-        end if options[:connection_build]
+        if options[:connection_build]
+          conn.build do |b|
+            options[:connection_build].call(b)
+          end
+        end
         conn
       end
     end
@@ -62,7 +67,8 @@ module OAuth2
     # The authorize endpoint URL of the OAuth2 provider
     #
     # @param [Hash] params additional query parameters
-    def authorize_url(params = nil)
+    def authorize_url(params = {})
+      params = (params || {}).merge(redirection_params)
       connection.build_url(options[:authorize_url], params).to_s
     end
 
@@ -88,9 +94,10 @@ module OAuth2
     def request(verb, url, opts = {}) # rubocop:disable CyclomaticComplexity, MethodLength, Metrics/AbcSize
       connection.response :logger, ::Logger.new($stdout) if ENV['OAUTH_DEBUG'] == 'true'
 
-      url = connection.build_url(url, opts[:params]).to_s
+      url = connection.build_url(url).to_s
 
       response = connection.run_request(verb, url, opts[:body], opts[:headers]) do |req|
+        req.params.update(opts[:params]) if opts[:params]
         yield(req) if block_given?
       end
       response = Response.new(response, :parse => opts[:parse])
@@ -110,12 +117,12 @@ module OAuth2
         response
       when 400..599
         error = Error.new(response)
-        fail(error) if opts.fetch(:raise_errors, options[:raise_errors])
+        raise(error) if opts.fetch(:raise_errors, options[:raise_errors])
         response.error = error
         response
       else
         error = Error.new(response)
-        fail(error, "Unhandled status code value of #{response.status}")
+        raise(error, "Unhandled status code value of #{response.status}")
       end
     end
 
@@ -124,20 +131,24 @@ module OAuth2
     # @param [Hash] params a Hash of params for the token endpoint
     # @param [Hash] access token options, to pass to the AccessToken object
     # @param [Class] class of access token for easier subclassing OAuth2::AccessToken
-    # @return [AccessToken] the initalized AccessToken
-    def get_token(params, access_token_opts = {}, access_token_class = AccessToken) # rubocop:disable Metrics/AbcSize
+    # @return [AccessToken] the initialized AccessToken
+    def get_token(params, access_token_opts = {}, access_token_class = AccessToken) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+      params = Authenticator.new(id, secret, options[:auth_scheme]).apply(params)
       opts = {:raise_errors => options[:raise_errors], :parse => params.delete(:parse)}
+      headers = params.delete(:headers) || {}
       if options[:token_method] == :post
-        headers = params.delete(:headers)
         opts[:body] = params
         opts[:headers] = {'Content-Type' => 'application/x-www-form-urlencoded'}
-        opts[:headers].merge!(headers) if headers
       else
         opts[:params] = params
+        opts[:headers] = {}
       end
+      opts[:headers].merge!(headers)
       response = request(options[:token_method], token_url, opts)
-      error = Error.new(response)
-      fail(error) if options[:raise_errors] && !(response.parsed.is_a?(Hash) && response.parsed['access_token'])
+      if options[:raise_errors] && !(response.parsed.is_a?(Hash) && response.parsed['access_token'])
+        error = Error.new(response)
+        raise(error)
+      end
       access_token_class.from_hash(self, response.parsed.merge(access_token_opts))
     end
 
@@ -172,5 +183,29 @@ module OAuth2
     def assertion
       @assertion ||= OAuth2::Strategy::Assertion.new(self)
     end
+
+    # The redirect_uri parameters, if configured
+    #
+    # The redirect_uri query parameter is OPTIONAL (though encouraged) when
+    # requesting authorization. If it is provided at authorization time it MUST
+    # also be provided with the token exchange request.
+    #
+    # Providing the :redirect_uri to the OAuth2::Client instantiation will take
+    # care of managing this.
+    #
+    # @api semipublic
+    #
+    # @see https://tools.ietf.org/html/rfc6749#section-4.1
+    # @see https://tools.ietf.org/html/rfc6749#section-4.1.3
+    # @see https://tools.ietf.org/html/rfc6749#section-4.2.1
+    # @see https://tools.ietf.org/html/rfc6749#section-10.6
+    # @return [Hash] the params to add to a request or URL
+    def redirection_params
+      if options[:redirect_uri]
+        {'redirect_uri' => options[:redirect_uri]}
+      else
+        {}
+      end
+    end
   end
 end