oauth2 2.0.18 → 2.0.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f43a3e156646bef90634677d617a155cff1f87d57ca030674f3ee05c160fa4d9
-  data.tar.gz: 5a2d29e7cd920d4e2f515afc23896795477e5cb357e47b6f5c3d0c797194d54c
+  metadata.gz: a50435455bab3e2cbebb651d7b88494ee04268367f1f8ab3dbacb479f1637b65
+  data.tar.gz: f9b36d98b44a56fbfc6e73b59c44829aa6f28eb24c16141c5052e23019145dcc
 SHA512:
-  metadata.gz: 471a77bbc0bd8a428ce01ba42ba8e9cb0ad35793eb5f7ae352946b9dda9a448152280c3bdf445255adb47b7f45d65efa11bff2affc2c2200f8e43f57f2a19a91
-  data.tar.gz: 6bae92dd35b1bf9efd38b4d3eceb2451c1016dbd9270947f74ba4ff389fa78420558df095acd8ff7404a2b8b2cdb9438983d1feb59751dd4252f2b7bc75c8d31
+  metadata.gz: 119ecedc64f4a158dcc0507b2da837ef2d44e6129803da0ebd383409a12670b43c892e596d2183a6e1095535ef0ed0e04769d4556f3111e392b12307a0c45e3c
+  data.tar.gz: 43bd592fbe5945d846b9791297ea307fe505a64e79b029b24302fe69fa246b57e7d279e1e87c1bf2c1cdc9e787a5d26e8fdbef15978dcfbb2efe277267d1628f

data/CHANGELOG.md

@@ -30,6 +30,58 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+## [2.0.20] - 2026-05-20
+
+- TAG: [v2.0.20][2.0.20t]
+- COVERAGE: 99.62% -- 525/527 lines in 15 files
+- BRANCH COVERAGE: 98.88% -- 176/178 branches in 15 files
+- 88.35% documented
+
+### Added
+
+- OAuth2::VERSION (Traditional Constant Location)
+
+### Changed
+
+- auth-sanitizer v0.1.3
+
+### Fixed
+
+- [gh!721][gh!721] Load `auth-sanitizer` through an internal isolated loader so requiring `oauth2` does not add top-level `Auth` or `AuthSanitizer` constants that may collide with downstream applications by @pboling
+
+### Security
+
+[gh!721]: https://github.com/ruby-oauth/oauth2/pull/721
+
+## [2.0.19] - 2026-05-15
+
+- TAG: [v2.0.19][2.0.19t]
+- COVERAGE: 100.00% -- 515/515 lines in 14 files
+- BRANCH COVERAGE: 100.00% -- 174/174 branches in 14 files
+- 89.11% documented
+
+### Added
+
+- [gh!707][gh!707] Add `OAuth2.config[:filtered_label]` to configure the placeholder used for filtered sensitive values in inspected objects and debug logging output by @pboling
+- [gh!707][gh!707] Add `OAuth2.config[:filtered_debug_keys]` to configure which key names have their values redacted from debug logging output by @pboling
+
+### Changed
+
+- [gh!707][gh!707] Make inspect-time and debug-log filters snapshot their configuration at initialization time rather than tracking later config changes by @pboling
+- [gh!714][gh!714]Refactor sensitive-value filtering to use `auth-sanitizer` while preserving `OAuth2::FilteredAttributes` as a permanent API alias by @pboling
+
+### Removed
+
+- Remove the internal `OAuth2::ThingFilter` and `OAuth2::SanitizedLogger` implementations now provided by `auth-sanitizer` by @pboling
+
+### Security
+
+- [gh!707][gh!707] Redact sensitive values from debug logging output, including Authorization headers and common token/secret fields in headers, query strings, form bodies, and JSON payloads by @pboling
+  - NOTE: debug logging has always been, and remains, opt-in. It is turned off by default.
+
+[gh!707]: https://github.com/ruby-oauth/oauth2/pull/707
+[gh!714]: https://github.com/ruby-oauth/oauth2/pull/714
+
 ## [2.0.18] - 2025-11-08
 
 - TAG: [v2.0.18][2.0.18t]
@@ -54,8 +106,6 @@ Please file a bug if you notice a violation of semantic versioning.
 - [gh!690][gh!690], [gh!691][gh!691], [gh!692][gh!692] - Add yard-fence
   - handle braces within code fences in markdown properly by @pboling
 
-### Security
-
 [gh!683]: https://github.com/ruby-oauth/oauth2/pull/683
 [gh!684]: https://github.com/ruby-oauth/oauth2/pull/684
 [gh!685]: https://github.com/ruby-oauth/oauth2/pull/685
@@ -196,8 +246,6 @@ Please file a bug if you notice a violation of semantic versioning.
 
 - [gh!660][gh!660] - Links in README (including link to HEAD documentation) by @pboling
 
-### Security
-
 [gh!660]: https://github.com/ruby-oauth/oauth2/pull/660
 [gh!657]: https://github.com/ruby-oauth/oauth2/pull/657
 [gh!656]: https://github.com/ruby-oauth/oauth2/pull/656
@@ -738,7 +786,11 @@ Please file a bug if you notice a violation of semantic versioning.
 
 [gemfiles/readme]: gemfiles/README.md
 
-[Unreleased]: https://github.com/ruby-oauth/oauth2/compare/v2.0.18...HEAD
+[Unreleased]: https://github.com/ruby-oauth/oauth2/compare/v2.0.20...HEAD
+[2.0.20]: https://github.com/ruby-oauth/oauth2/compare/v2.0.19...v2.0.20
+[2.0.20t]: https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.20
+[2.0.19]: https://github.com/ruby-oauth/oauth2/compare/v2.0.18...v2.0.19
+[2.0.19t]: https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.19
 [2.0.18]: https://github.com/ruby-oauth/oauth2/compare/v2.0.17...v2.0.18
 [2.0.18t]: https://github.com/ruby-oauth/oauth2/releases/tag/v2.0.18
 [2.0.17]: https://github.com/ruby-oauth/oauth2/compare/v2.0.16...v2.0.17

data/LICENSE.txt

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2017-2025 Peter H. Boling, of Galtzo.com, and oauth2 contributors
+Copyright (c) 2017-2026 Peter H. Boling, of Galtzo.com, and oauth2 contributors
 Copyright (c) 2011-2013 Michael Bleigh and Intridea, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy

data/README.md

@@ -1,32 +1,3 @@
-| 📍 NOTE                                                                                                                                                           |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| RubyGems (the [GitHub org][rubygems-org], not the website) [suffered][draper-security] a [hostile takeover][ellen-takeover] in September 2025.                    |
-| Ultimately [4 maintainers][simi-removed] were [hard removed][martin-removed] and a reason has been given for only 1 of those, while 2 others resigned in protest. |
-| It is a [complicated story][draper-takeover] which is difficult to [parse quickly][draper-lies].                                                                  |
-| I'm adding notes like this to gems because I [don't condone theft][draper-theft] of repositories or gems from their rightful owners.                              |
-| If a similar theft happened with my repos/gems, I'd hope some would stand up for me.                                                                              |
-| Disenfranchised former-maintainers have started [gem.coop][gem-coop].                                                                                             |
-| Once available I will publish there exclusively; unless RubyCentral makes amends with the community.                                                              |
-| The ["Technology for Humans: Joel Draper"][reinteractive-podcast] podcast episode by [reinteractive][reinteractive] is the most cogent summary I'm aware of.      |
-| See [here][gem-naming], [here][gem-coop] and [here][martin-ann] for more info on what comes next.                                                                 |
-| What I'm doing: A (WIP) proposal for [bundler/gem scopes][gem-scopes], and a (WIP) proposal for a federated [gem server][gem-server].                             |
-
-[rubygems-org]: https://github.com/rubygems/
-[draper-security]: https://joel.drapper.me/p/ruby-central-security-measures/
-[draper-takeover]: https://joel.drapper.me/p/ruby-central-takeover/
-[ellen-takeover]: https://pup-e.com/blog/goodbye-rubygems/
-[simi-removed]: https://www.reddit.com/r/ruby/s/gOk42POCaV
-[martin-removed]: https://bsky.app/profile/martinemde.com/post/3m3occezxxs2q
-[draper-lies]: https://joel.drapper.me/p/ruby-central-fact-check/
-[draper-theft]: https://joel.drapper.me/p/ruby-central/
-[reinteractive]: https://reinteractive.com/ruby-on-rails
-[gem-coop]: https://gem.coop
-[gem-naming]: https://github.com/gem-coop/gem.coop/issues/12
-[martin-ann]: https://martinemde.com/2025/10/05/announcing-gem-coop.html
-[gem-scopes]: https://github.com/galtzo-floss/bundle-namespace
-[gem-server]: https://github.com/galtzo-floss/gem-server
-[reinteractive-podcast]: https://youtu.be/_H4qbtC5qzU?si=BvuBU90R2wAqD2E6
-
 [![Galtzo FLOSS Logo by Aboling0, CC BY-SA 4.0][🖼️galtzo-i]][🖼️galtzo-discord] [![ruby-lang Logo, Yukihiro Matsumoto, Ruby Visual Identity Team, CC BY-SA 2.5][🖼️ruby-lang-i]][🖼️ruby-lang] [![oauth2 Logo by Chris Messina, CC BY-SA 3.0][🖼️oauth2-i]][🖼️oauth2]
 
 [🖼️galtzo-i]: https://logos.galtzo.com/assets/images/galtzo-floss/avatar-192px.svg
@@ -38,9 +9,7 @@
 
 # 🔐 OAuth 2.0 Authorization Framework
 
-⭐️ including OAuth 2.1 draft spec & OpenID Connect (OIDC)
-
-[![Version][👽versioni]][👽version] [![GitHub tag (latest SemVer)][⛳️tag-img]][⛳️tag] [![License: MIT][📄license-img]][📄license-ref] [![Downloads Rank][👽dl-ranki]][👽dl-rank] [![Open Source Helpers][👽oss-helpi]][👽oss-help] [![CodeCov Test Coverage][🏀codecovi]][🏀codecov] [![Coveralls Test Coverage][🏀coveralls-img]][🏀coveralls] [![QLTY Test Coverage][🏀qlty-covi]][🏀qlty-cov] [![QLTY Maintainability][🏀qlty-mnti]][🏀qlty-mnt] [![CI Heads][🚎3-hd-wfi]][🚎3-hd-wf] [![CI Runtime Dependencies @ HEAD][🚎12-crh-wfi]][🚎12-crh-wf] [![CI Current][🚎11-c-wfi]][🚎11-c-wf] [![CI JRuby][🚎10-j-wfi]][🚎10-j-wf] [![Deps Locked][🚎13-🔒️-wfi]][🚎13-🔒️-wf] [![Deps Unlocked][🚎14-🔓️-wfi]][🚎14-🔓️-wf] [![CI Supported][🚎6-s-wfi]][🚎6-s-wf] [![CI Legacy][🚎4-lg-wfi]][🚎4-lg-wf] [![CI Unsupported][🚎7-us-wfi]][🚎7-us-wf] [![CI Ancient][🚎1-an-wfi]][🚎1-an-wf] [![CI Test Coverage][🚎2-cov-wfi]][🚎2-cov-wf] [![CI Style][🚎5-st-wfi]][🚎5-st-wf] [![CodeQL][🖐codeQL-img]][🖐codeQL] [![Apache SkyWalking Eyes License Compatibility Check][🚎15-🪪-wfi]][🚎15-🪪-wf]
+[![Version][👽versioni]][👽version] [![GitHub tag (latest SemVer)][⛳️tag-img]][⛳️tag] [![License: MIT][📄license-img]][📄license-ref] [![Downloads Rank][👽dl-ranki]][👽dl-rank] [![CodeCov Test Coverage][🏀codecovi]][🏀codecov] [![Coveralls Test Coverage][🏀coveralls-img]][🏀coveralls] [![QLTY Test Coverage][🏀qlty-covi]][🏀qlty-cov] [![QLTY Maintainability][🏀qlty-mnti]][🏀qlty-mnt] [![CI Heads][🚎3-hd-wfi]][🚎3-hd-wf] [![CI Runtime Dependencies @ HEAD][🚎12-crh-wfi]][🚎12-crh-wf] [![CI Current][🚎11-c-wfi]][🚎11-c-wf] [![CI JRuby][🚎10-j-wfi]][🚎10-j-wf] [![Deps Locked][🚎13-🔒️-wfi]][🚎13-🔒️-wf] [![Deps Unlocked][🚎14-🔓️-wfi]][🚎14-🔓️-wf] [![CI Supported][🚎6-s-wfi]][🚎6-s-wf] [![CI Legacy][🚎4-lg-wfi]][🚎4-lg-wf] [![CI Unsupported][🚎7-us-wfi]][🚎7-us-wf] [![CI Ancient][🚎1-an-wfi]][🚎1-an-wf] [![CI Test Coverage][🚎2-cov-wfi]][🚎2-cov-wf] [![CI Style][🚎5-st-wfi]][🚎5-st-wf] [![CodeQL][🖐codeQL-img]][🖐codeQL] [![Apache SkyWalking Eyes License Compatibility Check][🚎15-🪪-wfi]][🚎15-🪪-wf]
 
 `if ci_badges.map(&:color).detect { it != "green"}` ☝️ [let me know][🖼️galtzo-discord], as I may have missed the [discord notification][🖼️galtzo-discord].
 
@@ -50,13 +19,20 @@
 
 [![OpenCollective Backers][🖇osc-backers-i]][🖇osc-backers] [![OpenCollective Sponsors][🖇osc-sponsors-i]][🖇osc-sponsors] [![Sponsor Me on Github][🖇sponsor-img]][🖇sponsor] [![Liberapay Goal Progress][⛳liberapay-img]][⛳liberapay] [![Donate on PayPal][🖇paypal-img]][🖇paypal] [![Buy me a coffee][🖇buyme-small-img]][🖇buyme] [![Donate on Polar][🖇polar-img]][🖇polar] [![Donate at ko-fi.com][🖇kofi-img]][🖇kofi]
 
+<details>
+    <summary>👣 How will this project approach the September 2025 hostile takeover of RubyGems? 🚑️</summary>
+
+I've summarized my thoughts in [this blog post](https://dev.to/galtzo/hostile-takeover-of-rubygems-my-thoughts-5hlo).
+
+</details>
+
 ## 🌻 Synopsis
 
 OAuth 2.0 is the industry-standard protocol for authorization.
-OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications,
-    desktop applications, mobile phones, and living room devices.
 This is a RubyGem for implementing OAuth 2.0 clients (not servers) in Ruby applications.
 
+⭐️ including OAuth 2.1 draft spec & OpenID Connect (OIDC)
+
 ### Quick Examples
 
 <details markdown="1">
@@ -75,13 +51,14 @@ curl --request POST \
 NOTE: In the ruby version below, certain params are passed to the `get_token` call, instead of the client creation.
 
 ```ruby
-OAuth2::Client.new(
+client = OAuth2::Client.new(
   "REDMOND_CLIENT_ID", # client_id
   "REDMOND_CLIENT_SECRET", # client_secret
   auth_scheme: :request_body, # Other modes are supported: :basic_auth, :tls_client_auth, :private_key_jwt
   token_url: "oauth2/token", # relative path, except with leading `/`, then absolute path
   site: "https://login.microsoftonline.com/REDMOND_REDACTED",
-). # The base path for token_url when it is relative
+)
+client.
   client_credentials. # There are many other types to choose from!
   get_token(resource: "REDMOND_RESOURCE_UUID")
 ```
@@ -344,33 +321,44 @@ See [SECURITY.md][🔐security] and [IRP.md][🔐irp].
 
 ## ⚙️ Configuration
 
-You can turn on additional warnings.
+Global settings for the library:
 
 ```ruby
 OAuth2.configure do |config|
-  # Turn on a warning like:
-  #   OAuth2::AccessToken.from_hash: `hash` contained more than one 'token' key
   config.silence_extra_tokens_warning = false # default: true
-  # Set to true if you want to also show warnings about no tokens
-  config.silence_no_tokens_warning = false # default: true,
+  config.silence_no_tokens_warning = false    # default: true
 end
 ```
 
-The "extra tokens" problem comes from ambiguity in the spec about which token is the right token.
-Some OAuth 2.0 standards legitimately have multiple tokens.
-You may need to subclass `OAuth2::AccessToken`, or write your own custom alternative to it, and pass it in.
-Specify your custom class with the `access_token_class` option.
+Filtering-related settings:
 
-If you only need one token, you can, as of v2.0.10,
-specify the exact token name you want to extract via the `OAuth2::AccessToken` using
-the `token_name` option.
+```ruby
+OAuth2.configure do |config|
+  config.filtered_label = "[REDACTED]" # default: "[FILTERED]"
+  config.filtered_debug_keys += ["client_assertion"]
+end
+```
 
-You'll likely need to do some source diving.
-This gem has 100% test coverage for lines and branches, so the specs are a great place to look for ideas.
-If you have time and energy, please contribute to the documentation!
+- `filtered_label` controls the placeholder used when sensitive values are filtered from inspected objects and debug logging output.
+- `filtered_debug_keys` controls which key names have their values redacted from debug logging output when `OAUTH_DEBUG=true`.
+- Debug logging remains opt-in and should still be used cautiously in production environments.
 
 ## 🔧 Basic Usage
 
+### Client Initialization Options
+
+`OAuth2::Client.new` accepts several options:
+
+- `:site`: The base URL for the OAuth 2.0 provider.
+- `:authorize_url`: The authorization endpoint (default: `"oauth/authorize"`).
+- `:token_url`: The token endpoint (default: `"oauth/token"`).
+- `:auth_scheme`: The authentication scheme (`:basic_auth`, `:request_body`, `:tls_client_auth`, `:private_key_jwt`). Default is `:basic_auth`.
+- `:connection_opts`: Options for the underlying Faraday connection (timeouts, proxy, etc.).
+- `:raise_errors`: Whether to raise `OAuth2::Error` on 400+ responses (default: `true`).
+
+<details markdown="1">
+  <summary><em>authorize_url</em> and <em>token_url</em></summary>
+
 ### `authorize_url` and `token_url` are on site root (Just Works!)
 
 ```ruby
@@ -416,6 +404,25 @@ client.class.name
 # => OAuth2::Client
 ```
 
+</details>
+
+### Advanced Initializers
+
+```ruby
+client = OAuth2::Client.new(id, secret, site: site) do |faraday|
+  faraday.request(:url_encoded)
+  faraday.adapter(:net_http_persistent)
+end
+```
+
+### AccessToken Features
+
+Instances of `OAuth2::AccessToken` handle request signing and token expiration.
+
+- **Snake Case & Indifferent Access**: `response.parsed` returns a `SnakyHash` allowing access via string/symbol and snake_case keys even if the provider returns CamelCase.
+- **Auto-Refresh**: You can manually check `token.expired?` and call `token.refresh`.
+- **Serialization**: Persist tokens using `token.to_hash` and restore via `OAuth2::AccessToken.from_hash(client, hash)`.
+
 ### snake_case and indifferent access in Response#parsed
 
 ```ruby
@@ -553,6 +560,13 @@ ENV["OAUTH_DEBUG"] = "true"
 By default, debug output will go to `$stdout`. This can be overridden when
 initializing your OAuth2::Client.
 
+Sensitive values are filtered from debug logging output using:
+
+- `OAuth2.config[:filtered_label]`
+- `OAuth2.config[:filtered_debug_keys]`
+
+Debug logging remains opt-in and should still be used cautiously in production environments.
+
 ```ruby
 require "oauth2"
 client = OAuth2::Client.new(
@@ -565,15 +579,30 @@ client = OAuth2::Client.new(
 
 </details>
 
+### Request Target Trust Boundaries
+
+This gem supports request flows that can involve absolute URLs in addition to relative paths.
+That flexibility can expand trust boundaries when a token-bearing client is asked to send requests
+to caller-provided targets.
+
+Practical guidance:
+
+- prefer relative paths where practical
+- do not pass untrusted absolute URLs into token-bearing clients
+- validate or allowlist request targets at the application layer today if your deployment has strict trust-boundary requirements
+
+This release line does not yet enforce same-host or allowlist request policy automatically.
+If stricter outbound request controls are needed, they should currently be implemented by the calling application.
+
 ### OAuth2::Response
 
 The `AccessToken` methods `#get`, `#post`, `#put` and `#delete` and the generic `#request`
-will return an instance of the #OAuth2::Response class.
+will return an instance of the `OAuth2::Response` class.
 
 This instance contains a `#parsed` method that will parse the response body and
 return a Hash-like [`SnakyHash::StringKeyed`](https://gitlab.com/ruby-oauth/snaky_hash/-/blob/main/lib/snaky_hash/string_keyed.rb) if the `Content-Type` is `application/x-www-form-urlencoded` or if
-the body is a JSON object.  It will return an Array if the body is a JSON
-array.  Otherwise, it will return the original body string.
+the body is a JSON object. It will return an Array if the body is a JSON
+array. Otherwise, it will return the original body string.
 
 The original response body, headers, and status can be accessed via their
 respective methods.
@@ -615,16 +644,22 @@ Response instance will contain the `OAuth2::Error` instance.
 
 ### Authorization Grants
 
-Note on OAuth 2.1 (draft):
+Currently, the Authorization Code, Implicit, Resource Owner Password Credentials, Client Credentials, and Assertion
+authentication grant types have helper strategy classes that simplify client
+use. They are available via the [`#auth_code`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/auth_code.rb),
+[`#implicit`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/implicit.rb),
+[`#password`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/password.rb),
+[`#client_credentials`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/client_credentials.rb), and
+[`#assertion`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/assertion.rb) methods respectively.
+
+#### OAuth 2.1 (draft) Note:
 
-- PKCE is required for all OAuth clients using the authorization code flow (especially public clients). Implement PKCE in your app when required by your provider. See RFC 7636 and RFC 8252.
-- Redirect URIs must be compared using exact string matching by the Authorization Server.
-- The Implicit grant (response_type=token) and the Resource Owner Password Credentials grant are omitted from OAuth 2.1; they remain here for OAuth 2.0 compatibility but should be avoided for new apps.
-- Bearer tokens in the query string are omitted due to security risks; prefer Authorization header usage.
-- Refresh tokens for public clients must either be sender-constrained (e.g., DPoP/MTLS) or one-time use.
-- The definitions of public and confidential clients are simplified to refer only to whether the client has credentials.
+- **PKCE** is required for all OAuth clients using the authorization code flow (especially public clients). Implement PKCE in your app when required by your provider. See RFC 7636 and RFC 8252.
+- **Implicit grant** (response_type=token) and **Resource Owner Password Credentials grant** are omitted from OAuth 2.1; they remain here for OAuth 2.0 compatibility but should be avoided for new apps.
+- **Redirect URIs** must be compared using exact string matching by the Authorization Server.
 
-References:
+<details markdown="1">
+  <summary>OAuth 2.1 (draft) References</summary>
 
 - OAuth 2.1 draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13
 - Aaron Parecki: https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
@@ -633,13 +668,7 @@ References:
 - Video: https://www.youtube.com/watch?v=g_aVPdwBTfw
 - Differences overview: https://fusionauth.io/learn/expert-advice/oauth/differences-between-oauth-2-oauth-2-1/
 
-Currently, the Authorization Code, Implicit, Resource Owner Password Credentials, Client Credentials, and Assertion
-authentication grant types have helper strategy classes that simplify client
-use. They are available via the [`#auth_code`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/auth_code.rb),
-[`#implicit`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/implicit.rb),
-[`#password`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/password.rb),
-[`#client_credentials`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/client_credentials.rb), and
-[`#assertion`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/assertion.rb) methods respectively.
+</details>
 
 These aren't full examples, but demonstrative of the differences between usage for each strategy.
 
@@ -774,7 +803,7 @@ Notes:
 
 </details>
 
-### Instagram API (verb‑dependent token mode)
+### Verb‑dependent Token Mode
 
 Providers like Instagram require the access token to be sent differently depending on the HTTP verb:
 
@@ -783,6 +812,14 @@ Providers like Instagram require the access token to be sent differently dependi
 
 Since v2.0.15, you can configure an AccessToken with a verb‑dependent mode. The gem will choose how to send the token based on the request method.
 
+Tips:
+
+- Avoid query‑string bearer tokens unless required by your provider. Instagram explicitly requires it for `GET` requests.
+- If you need a custom rule, you can pass a `Proc` for `mode`, e.g. `mode: ->(verb) { verb == :get ? :query : :header }`.
+
+<details markdown="1">
+  <summary>Instagram API Example</summary>
+
 Example: exchanging and refreshing long‑lived Instagram tokens, and making API calls
 
 ```ruby
@@ -841,10 +878,7 @@ me = long_lived.get("/me", params: {fields: "id,username"}).parsed
 # long_lived.post("/me/media", body: {image_url: "https://...", caption: "hello"})
 ```
 
-Tips:
-
-- Avoid query‑string bearer tokens unless required by your provider. Instagram explicitly requires it for `GET` requests.
-- If you need a custom rule, you can pass a `Proc` for `mode`, e.g. `mode: ->(verb) { verb == :get ? :query : :header }`.
+</details>
 
 ### Refresh Tokens
 
@@ -1085,11 +1119,12 @@ access = client.get_token({
 })
 ```
 
-### OpenID Connect (OIDC) Notes
+### OpenID Connect (OIDC)
 
-- If the token response includes an `id_token` (a JWT), this gem surfaces it but does not validate the signature. Use a JWT library and your provider's JWKs to verify it.
-- For private_key_jwt client authentication, provide `auth_scheme: :private_key_jwt` and ensure your key configuration matches the provider requirements.
-- See [OIDC.md](OIDC.md) for a more complete OIDC overview, example, and links to the relevant specifications.
+- If the token response includes an `id_token` (a JWT), this gem surfaces it in `token.params['id_token']`.
+- **Note**: This gem does **not** validate the signature of the `id_token`. You must use a JWT library (like the `jwt` [gem](https://github.com/jwt/ruby-jwt)) and your provider's JWKs to verify it.
+- For `private_key_jwt` client authentication, provide `auth_scheme: :private_key_jwt` and ensure your key configuration matches the provider requirements.
+- See [OIDC.md](OIDC.md) for a more complete OIDC overview and examples.
 
 ### Debugging
 
@@ -1139,6 +1174,10 @@ NOTE: [kettle-readme-backers][kettle-readme-backers] updates this list every day
 
 <!-- OPENCOLLECTIVE-ORGANIZATIONS:START -->
 No sponsors yet. Be the first!
+
+### Open Collective for Donors
+
+[Bill Woika](https://opencollective.com/bill-woika)
 <!-- OPENCOLLECTIVE-ORGANIZATIONS:END -->
 
 [kettle-readme-backers]: https://github.com/ruby-oauth/oauth2/blob/main/exe/kettle-readme-backers
@@ -1257,7 +1296,7 @@ See [LICENSE.txt][📄license] for the official [Copyright Notice][📄copyright
 
 <ul>
     <li>
-        Copyright (c) 2017 – 2025 Peter H. Boling, of
+        Copyright (c) 2017 – 2026 Peter H. Boling, of
         <a href="https://discord.gg/3qme4XHNKN">
             Galtzo.com
             <picture>
@@ -1384,8 +1423,6 @@ Thanks for RTFM. ☺️
 [📜gh-wiki-img]: https://img.shields.io/badge/wiki-examples-943CD2.svg?style=for-the-badge&logo=github&logoColor=white
 [👽dl-rank]: https://bestgems.org/gems/oauth2
 [👽dl-ranki]: https://img.shields.io/gem/rd/oauth2.svg
-[👽oss-help]: https://www.codetriage.com/ruby-oauth/oauth2
-[👽oss-helpi]: https://www.codetriage.com/ruby-oauth/oauth2/badges/users.svg
 [👽version]: https://bestgems.org/gems/oauth2
 [👽versioni]: https://img.shields.io/gem/v/oauth2.svg
 [🏀qlty-mnt]: https://qlty.sh/gh/ruby-oauth/projects/oauth2
@@ -1477,7 +1514,7 @@ Thanks for RTFM. ☺️
 [📌gitmoji]: https://gitmoji.dev
 [📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
 [🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
-[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.526-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
+[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.527-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
 [🔐security]: SECURITY.md
 [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat
 [🔐irp]: IRP.md

data/REEK

@@ -0,0 +1,2 @@
+./reek: 1: ./reek:: not found
+./reek: 2: ./reek:: not found

data/SECURITY.md

@@ -12,7 +12,7 @@ To report a security vulnerability, please use the
 [Tidelift security contact](https://tidelift.com/security).
 Tidelift will coordinate the fix and disclosure.
 
-More detailed explanation of the process is in [IRP.md][IRP]
+More detailed explanation of the process is in [IRP.md][IRP].
 
 ## Additional Support
 

data/THREAT_MODEL.md

@@ -63,7 +63,16 @@ This document outlines the threat model for the `oauth2` Ruby gem, which impleme
   - Validate and sanitize all inputs
   - Use parameterized queries and safe APIs
 
-### 5.7 Insufficient Logging and Monitoring
+### 5.7 Request-Target Trust Boundary Expansion
+- **Threat:** Applications may pass untrusted or insufficiently validated absolute URLs into request paths that can carry OAuth credentials or authenticated state.
+- **Risk:** This can expand trust boundaries, contributing to token leakage, authenticated requests to unintended hosts, or SSRF-like pivoting in the surrounding application.
+- **Mitigations:**
+  - Prefer relative paths where practical
+  - Do not pass untrusted absolute URLs into token-bearing clients
+  - Validate or allowlist outbound request targets at the application layer
+  - Treat request-target validation as a separate concern from log redaction and token storage
+
+### 5.8 Insufficient Logging and Monitoring
 - **Threat:** Attacks go undetected
 - **Mitigations:**
   - Log security-relevant events (without sensitive data)

data/lib/oauth2/access_token.rb

@@ -57,26 +57,23 @@ module OAuth2
       def from_hash(client, hash)
         fresh = hash.dup
         # If token_name is present, then use that key name
-        key =
-          if fresh.key?(:token_name)
-            t_key = fresh[:token_name]
-            no_tokens_warning(fresh, t_key)
-            t_key
-          else
-            # Otherwise, if one of the supported default keys is present, use whichever has precedence
-            supported_keys = TOKEN_KEY_LOOKUP & fresh.keys
-            t_key = supported_keys[0]
-            extra_tokens_warning(supported_keys, t_key)
-            t_key
-          end
+        if fresh.key?(:token_name)
+          t_key = fresh[:token_name]
+          no_tokens_warning(fresh, t_key)
+        else
+          # Otherwise, if one of the supported default keys is present, use whichever has precedence
+          supported_keys = TOKEN_KEY_LOOKUP & fresh.keys
+          t_key = supported_keys[0]
+          extra_tokens_warning(supported_keys, t_key)
+        end
         # :nocov:
         # TODO: Get rid of this branching logic when dropping Hashie < v3.2
         token = if !defined?(Hashie::VERSION) # i.e. <= "1.1.0"; the first Hashie to ship with a VERSION constant
           warn("snaky_hash and oauth2 will drop support for Hashie v0 in the next major version. Please upgrade to a modern Hashie.")
           # There is a bug in Hashie v0, which is accounts for.
-          fresh.delete(key) || fresh[key] || ""
+          fresh.delete(t_key) || fresh[t_key] || ""
         else
-          fresh.delete(key) || ""
+          fresh.delete(t_key) || ""
         end
         # :nocov:
         new(client, token, fresh)

data/lib/oauth2/auth_sanitizer.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module OAuth2
+  AUTH_SANITIZER = begin
+    auth_sanitizer_requirement = Gem::Requirement.new("~> 0.1", ">= 0.1.3")
+    auth_sanitizer_spec = Gem.loaded_specs["auth-sanitizer"]
+    unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sanitizer_spec.version)
+      # :nocov:
+      auth_sanitizer_spec = Gem::Specification.find_by_name("auth-sanitizer", auth_sanitizer_requirement)
+      # :nocov:
+    end
+
+    auth_sanitizer_loader_path = File.join(
+      auth_sanitizer_spec.full_gem_path,
+      "lib/auth_sanitizer/loader.rb",
+    )
+    unless File.file?(auth_sanitizer_loader_path)
+      # :nocov:
+      raise LoadError, "oauth2 requires auth-sanitizer #{auth_sanitizer_requirement}; " \
+        "loader not found at #{auth_sanitizer_loader_path}"
+      # :nocov:
+    end
+
+    auth_sanitizer_loader_namespace = Module.new
+    auth_sanitizer_loader_namespace.module_eval(
+      File.read(auth_sanitizer_loader_path),
+      auth_sanitizer_loader_path,
+      1,
+    )
+
+    auth_sanitizer_loader_namespace.
+      const_get(:AuthSanitizer).
+      const_get(:Loader).
+      load_isolated
+  end
+end

data/lib/oauth2/authenticator.rb

@@ -51,13 +51,15 @@ module OAuth2
       end
     end
 
-    # Encodes a Basic Authorization header value for the provided credentials.
-    #
-    # @param [String] user The client identifier
-    # @param [String] password The client secret
-    # @return [String] The value to use for the Authorization header
-    def self.encode_basic_auth(user, password)
-      "Basic #{Base64.strict_encode64("#{user}:#{password}")}"
+    class << self
+      # Encodes a Basic Authorization header value for the provided credentials.
+      #
+      # @param [String] user The client identifier
+      # @param [String] password The client secret
+      # @return [String] The value to use for the Authorization header
+      def encode_basic_auth(user, password)
+        "Basic #{Base64.strict_encode64("#{user}:#{password}")}"
+      end
     end
 
   private

data/lib/oauth2/client.rb

@@ -42,7 +42,7 @@ module OAuth2
     # @option options [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday
     # @option options [Boolean] :raise_errors (true) whether to raise an OAuth2::Error on responses with 400+ status codes
     # @option options [Integer] :max_redirects (5) maximum number of redirects to follow
-    # @option options [Logger] :logger (::Logger.new($stdout)) Logger instance for HTTP request/response output; requires OAUTH_DEBUG to be true
+    # @option options [Logger] :logger (::Logger.new($stdout)) Logger instance for HTTP request/response output; requires OAUTH_DEBUG to be true. When debug logging is enabled, sensitive values are filtered using {OAuth2::AUTH_SANITIZER::SanitizedLogger} initialized from `OAuth2.config[:filtered_label]` and the key names in `OAuth2.config[:filtered_debug_keys]`.
     # @option options [Class] :access_token_class (AccessToken) class to use for access tokens; you can subclass OAuth2::AccessToken, @version 2.0+
     # @option options [Hash] :ssl SSL options for Faraday
     #
@@ -563,7 +563,15 @@ module OAuth2
     end
 
     def oauth_debug_logging(builder)
-      builder.response(:logger, options[:logger], bodies: true) if OAuth2::OAUTH_DEBUG
+      builder.response(
+        :logger,
+        OAuth2::AUTH_SANITIZER::SanitizedLogger.new(
+          options[:logger],
+          filtered_keys: OAuth2.config[:filtered_debug_keys],
+          label: OAuth2.config[:filtered_label],
+        ),
+        bodies: true,
+      ) if OAuth2::OAUTH_DEBUG
     end
   end
 end

data/lib/oauth2/error.rb

@@ -17,6 +17,8 @@ module OAuth2
     # @param [OAuth2::Response, Hash, Object] response A Response or error payload
     def initialize(response)
       @response = response
+      @code = nil
+      @description = nil
       if response.respond_to?(:parsed)
         if response.parsed.is_a?(Hash)
           @code = response.parsed["error"]

data/lib/oauth2/filtered_attributes.rb

@@ -1,52 +1,10 @@
+# frozen_string_literal: true
+
 module OAuth2
-  # Mixin that redacts sensitive instance variables in #inspect output.
+  # Permanent alias for {OAuth2::AUTH_SANITIZER::FilteredAttributes}.
   #
-  # Classes include this module and declare which attributes should be filtered
-  # using {.filtered_attributes}. Any instance variable name that includes one of
-  # those attribute names will be shown as [FILTERED] in the object's inspect.
-  module FilteredAttributes
-    # Hook invoked when the module is included. Extends the including class with
-    # class-level helpers.
-    #
-    # @param [Class] base The including class
-    # @return [void]
-    def self.included(base)
-      base.extend(ClassMethods)
-    end
-
-    # Class-level helpers for configuring filtered attributes.
-    module ClassMethods
-      # Declare attributes that should be redacted in inspect output.
-      #
-      # @param [Array<Symbol, String>] attributes One or more attribute names
-      # @return [void]
-      def filtered_attributes(*attributes)
-        @filtered_attribute_names = attributes.map(&:to_sym)
-      end
-
-      # The configured attribute names to filter.
-      #
-      # @return [Array<Symbol>]
-      def filtered_attribute_names
-        @filtered_attribute_names || []
-      end
-    end
-
-    # Custom inspect that redacts configured attributes.
-    #
-    # @return [String]
-    def inspect
-      filtered_attribute_names = self.class.filtered_attribute_names
-      return super if filtered_attribute_names.empty?
-
-      inspected_vars = instance_variables.map do |var|
-        if filtered_attribute_names.any? { |filtered_var| var.to_s.include?(filtered_var.to_s) }
-          "#{var}=[FILTERED]"
-        else
-          "#{var}=#{instance_variable_get(var).inspect}"
-        end
-      end
-      "#<#{self.class}:#{object_id} #{inspected_vars.join(", ")}>"
-    end
-  end
+  # This constant is intentionally kept in the `OAuth2` namespace because it
+  # was part of the public API before the implementation was extracted into the
+  # `auth-sanitizer` gem.  It will **not** be deprecated or removed.
+  FilteredAttributes = OAuth2::AUTH_SANITIZER::FilteredAttributes
 end

data/lib/oauth2/response.rb

@@ -43,18 +43,20 @@ module OAuth2
       "text/plain" => :text,
     }
 
-    # Adds a new content type parser.
-    #
-    # @param [Symbol] key A descriptive symbol key such as :json or :query
-    # @param [Array<String>, String] mime_types One or more mime types to which this parser applies
-    # @yield [String] Block that will be called to parse the response body
-    # @yieldparam [String] body The response body to parse
-    # @return [void]
-    def self.register_parser(key, mime_types, &block)
-      key = key.to_sym
-      @@parsers[key] = block
-      Array(mime_types).each do |mime_type|
-        @@content_types[mime_type] = key
+    class << self
+      # Adds a new content type parser.
+      #
+      # @param [Symbol] key A descriptive symbol key such as :json or :query
+      # @param [Array<String>, String] mime_types One or more mime types to which this parser applies
+      # @yield [String] Block that will be called to parse the response body
+      # @yieldparam [String] body The response body to parse
+      # @return [void]
+      def register_parser(key, mime_types, &block)
+        key = key.to_sym
+        @@parsers[key] = block
+        Array(mime_types).each do |mime_type|
+          @@content_types[mime_type] = key
+        end
       end
     end
 

data/lib/oauth2/version.rb

@@ -2,6 +2,7 @@
 
 module OAuth2
   module Version
-    VERSION = "2.0.18"
+    VERSION = "2.0.20"
   end
+  VERSION = Version::VERSION # Traditional Constant Location
 end

data/lib/oauth2.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 # includes modules from stdlib
-require "cgi"
+require "cgi/escape"
 require "time"
 
 # third party gems
@@ -10,6 +10,7 @@ require "version_gem"
 
 # includes gem files
 require_relative "oauth2/version"
+require_relative "oauth2/auth_sanitizer"
 require_relative "oauth2/filtered_attributes"
 require_relative "oauth2/error"
 require_relative "oauth2/authenticator"
@@ -43,38 +44,59 @@ module OAuth2
   #     config[:silence_no_tokens_warning] = false
   #   end
   #
+  # @example Customize filtered output markers and debug-log value filtering by key name
+  #   OAuth2.configure do |config|
+  #     config[:filtered_label] = "[REDACTED]"
+  #     config[:filtered_debug_keys] += ["client_assertion"]
+  #   end
+  #
+  # Existing objects and logger wrappers snapshot filtering configuration during
+  # initialization. Changing these config values later affects only newly
+  # initialized objects and debug loggers.
+  #
   # @return [SnakyHash::SymbolKeyed] A mutable Hash-like config with symbol keys
   DEFAULT_CONFIG = SnakyHash::SymbolKeyed.new(
     silence_extra_tokens_warning: true,
     silence_no_tokens_warning: true,
+    filtered_label: "[FILTERED]",
+    filtered_debug_keys: %w[
+      access_token
+      refresh_token
+      id_token
+      client_secret
+      assertion
+      code_verifier
+      token
+    ],
   )
 
   # The current runtime configuration for the library.
   #
   # @return [SnakyHash::SymbolKeyed]
-  @config = DEFAULT_CONFIG.dup
+  CONFIG = DEFAULT_CONFIG.dup
 
   class << self
-    # Access the current configuration.
+    def config
+      CONFIG
+    end
+
+    # Configure global library behavior.
     #
-    # Prefer using {OAuth2.configure} to mutate configuration.
+    # Yields the mutable configuration object so callers can update settings.
     #
-    # @return [SnakyHash::SymbolKeyed]
-    attr_reader :config
+    # @yieldparam [SnakyHash::SymbolKeyed] config the configuration object
+    # @return [void]
+    def configure
+      yield config
+    end
   end
-
-  # Configure global library behavior.
-  #
-  # Yields the mutable configuration object so callers can update settings.
-  #
-  # @yieldparam [SnakyHash::SymbolKeyed] config the configuration object
-  # @return [void]
-  def configure
-    yield @config
-  end
-  module_function :configure
 end
 
+# Wire OAuth2::AUTH_SANITIZER's label provider to read from OAuth2.config so that
+# FilteredAttributes-bearing objects and OAuth2::AUTH_SANITIZER::SanitizedLogger instances
+# pick up OAuth2.config[:filtered_label] at their initialization time.
+OAuth2::AUTH_SANITIZER.filtered_label_provider = -> { OAuth2.config[:filtered_label] }
+
 # Extend OAuth2::Version with VersionGem helpers to provide semantic version helpers.
 OAuth2::Version.class_eval do
   extend VersionGem::Basic

data/sig/oauth2/filtered_attributes.rbs

@@ -1,6 +1,11 @@
 module OAuth2
   module FilteredAttributes
+    module InitializerMethods
+      def initialize: (*untyped args) { () -> untyped } -> untyped
+    end
+
     def self.included: (untyped) -> untyped
-    def filtered_attributes: (*String) -> void
+    def filtered_attributes: (*(String | Symbol)) -> void
+    def thing_filter: () -> OAuth2::ThingFilter
   end
 end

data/sig/oauth2/sanitized_logger.rbs

@@ -0,0 +1,32 @@
+module OAuth2
+  class SanitizedLogger
+    def initialize: (untyped logger) -> void
+
+    def add: (untyped severity, ?untyped message, ?untyped progname) { () -> untyped } -> untyped
+    def <<: (String message) -> untyped
+    def debug: (?untyped progname) { () -> untyped } -> untyped
+    def info: (?untyped progname) { () -> untyped } -> untyped
+    def warn: (?untyped progname) { () -> untyped } -> untyped
+    def error: (?untyped progname) { () -> untyped } -> untyped
+    def fatal: (?untyped progname) { () -> untyped } -> untyped
+    def unknown: (?untyped progname) { () -> untyped } -> untyped
+    def close: () -> void
+    def formatter: () -> untyped
+    def formatter=: (untyped formatter) -> void
+    def level: () -> untyped
+    def level=: (untyped level) -> void
+    def progname: () -> untyped
+    def progname=: (untyped progname) -> void
+    def respond_to_missing?: (Symbol method_name, ?bool include_private) -> bool
+    def method_missing: (Symbol method_name, *untyped args) { () -> untyped } -> untyped
+
+    private
+
+    def log: (Symbol level, ?untyped progname) { () -> untyped } -> untyped
+    def sanitize: (untyped message) -> untyped
+    def thing_filter: () -> OAuth2::ThingFilter
+    def sanitize_authorization_header: (String message) -> String
+    def sanitize_json_pairs: (String message) -> String
+    def sanitize_form_and_query_pairs: (String message) -> String
+  end
+end

data/sig/oauth2/thing_filter.rbs

@@ -0,0 +1,10 @@
+module OAuth2
+  class ThingFilter
+    attr_reader things: Array[String]
+    attr_reader label: String
+
+    def initialize: (Enumerable[untyped] things, label: String) -> void
+    def filtered?: (untyped thing_name) -> bool
+    def pattern_source: () -> String
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: oauth2
 version: !ruby/object:Gem::Version
-  version: 2.0.18
+  version: 2.0.20
 platform: ruby
 authors:
 - Peter Boling
@@ -39,6 +39,26 @@ cert_chain:
   -----END CERTIFICATE-----
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: auth-sanitizer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.1.3
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -136,7 +156,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -146,7 +166,7 @@ dependencies:
         version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.3
+        version: 2.0.4
 - !ruby/object:Gem::Dependency
   name: version_gem
   requirement: !ruby/object:Gem::Requirement
@@ -227,28 +247,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: bundler-audit
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: 0.9.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.2
+        version: 0.9.3
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -290,6 +310,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -297,6 +320,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.6
 - !ruby/object:Gem::Dependency
   name: kettle-test
   requirement: !ruby/object:Gem::Requirement
@@ -306,7 +332,7 @@ dependencies:
         version: '1.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.6
+        version: 1.0.10
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -316,7 +342,7 @@ dependencies:
         version: '1.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.6
+        version: 1.0.10
 - !ruby/object:Gem::Dependency
   name: ruby-progressbar
   requirement: !ruby/object:Gem::Requirement
@@ -340,7 +366,7 @@ dependencies:
         version: '1.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.2
+        version: 1.0.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -350,7 +376,7 @@ dependencies:
         version: '1.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.2
+        version: 1.0.3
 - !ruby/object:Gem::Dependency
   name: gitmoji-regex
   requirement: !ruby/object:Gem::Requirement
@@ -428,6 +454,7 @@ files:
 - THREAT_MODEL.md
 - lib/oauth2.rb
 - lib/oauth2/access_token.rb
+- lib/oauth2/auth_sanitizer.rb
 - lib/oauth2/authenticator.rb
 - lib/oauth2/client.rb
 - lib/oauth2/error.rb
@@ -447,17 +474,19 @@ files:
 - sig/oauth2/error.rbs
 - sig/oauth2/filtered_attributes.rbs
 - sig/oauth2/response.rbs
+- sig/oauth2/sanitized_logger.rbs
 - sig/oauth2/strategy.rbs
+- sig/oauth2/thing_filter.rbs
 - sig/oauth2/version.rbs
 homepage: https://github.com/ruby-oauth/oauth2
 licenses:
 - MIT
 metadata:
   homepage_uri: https://oauth2.galtzo.com/
-  source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.18
-  changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.18/CHANGELOG.md
+  source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.20
+  changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.20/CHANGELOG.md
   bug_tracker_uri: https://github.com/ruby-oauth/oauth2/issues
-  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.18
+  documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.20
   mailing_list_uri: https://groups.google.com/g/oauth-ruby
   funding_uri: https://github.com/sponsors/pboling
   wiki_uri: https://gitlab.com/ruby-oauth/oauth2/-/wiki
@@ -466,11 +495,11 @@ metadata:
   rubygems_mfa_required: 'true'
 post_install_message: |2
 
-  ---+++--- oauth2 v2.0.18 ---+++---
+  ---+++--- oauth2 v2.0.20 ---+++---
 
   (minor) ⚠️ BREAKING CHANGES ⚠️ when upgrading from < v2
   • Summary of breaking changes: https://gitlab.com/ruby-oauth/oauth2#what-is-new-for-v20
-  • Changes in this patch: https://gitlab.com/ruby-oauth/oauth2/-/blob/v2.0.18/CHANGELOG.md#2015-2025-09-08
+  • Changes in this patch: https://gitlab.com/ruby-oauth/oauth2/-/blob/v2.0.20/CHANGELOG.md#2015-2025-09-08
 
   News:
   1. New documentation website, including for OAuth 2.1 and OIDC: https://oauth2.galtzo.com
@@ -513,7 +542,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.2
+rubygems_version: 4.0.11
 specification_version: 4
 summary: "\U0001F510 OAuth 2.0, 2.1 & OIDC Core Ruby implementation"
 test_files: []