oauth2 2.0.3 → 2.0.9

data/README.md

@@ -1,9 +1,9 @@
 <p align="center">
     <a href="http://oauth.net/2/" target="_blank" rel="noopener">
-      <img src="https://github.com/oauth-xx/oauth2/raw/master/docs/images/logo/oauth2-logo-124px.png?raw=true" alt="OAuth 2.0 Logo by Chris Messina, CC BY-SA 3.0">
+      <img src="https://github.com/oauth-xx/oauth2/raw/main/docs/images/logo/oauth2-logo-124px.png?raw=true" alt="OAuth 2.0 Logo by Chris Messina, CC BY-SA 3.0">
     </a>
     <a href="https://www.ruby-lang.org/" target="_blank" rel="noopener">
-      <img width="124px" src="https://github.com/oauth-xx/oauth2/raw/master/docs/images/logo/ruby-logo-198px.svg?raw=true" alt="Yukihiro Matsumoto, Ruby Visual Identity Team, CC BY-SA 2.5">
+      <img width="124px" src="https://github.com/oauth-xx/oauth2/raw/main/docs/images/logo/ruby-logo-198px.svg?raw=true" alt="Yukihiro Matsumoto, Ruby Visual Identity Team, CC BY-SA 2.5">
     </a>
 </p>
 
@@ -21,7 +21,7 @@ See the sibling `oauth` gem for OAuth 1.0 implementations in Ruby.
 * [oauth sibling gem][sibling-gem] for OAuth 1.0 implementations in Ruby.
 
 [oauth2-spec]: https://oauth.net/2/
-[sibling-gem]: https://github.com/oauth-xx/oauth-ruby
+[sibling-gem]: https://gitlab.com/oauth-xx/oauth
 
 ## Release Documentation
 
@@ -32,10 +32,16 @@ See the sibling `oauth` gem for OAuth 1.0 implementations in Ruby.
 
 | Version | Release Date | Readme                                                   |
 |---------|--------------|----------------------------------------------------------|
-| 2.0.3   | 2022-06-28   | https://github.com/oauth-xx/oauth2/blob/v2.0.3/README.md |
-| 2.0.2   | 2022-06-24   | https://github.com/oauth-xx/oauth2/blob/v2.0.2/README.md |
-| 2.0.1   | 2022-06-22   | https://github.com/oauth-xx/oauth2/blob/v2.0.1/README.md |
-| 2.0.0   | 2022-06-21   | https://github.com/oauth-xx/oauth2/blob/v2.0.0/README.md |
+| 2.0.9   | 2022-09-16   | https://gitlab.com/oauth-xx/oauth2/-/blob/v2.0.9/README.md |
+| 2.0.8   | 2022-09-01   | https://gitlab.com/oauth-xx/oauth2/-/blob/v2.0.8/README.md |
+| 2.0.7   | 2022-08-22   | https://gitlab.com/oauth-xx/oauth2/-/blob/v2.0.7/README.md |
+| 2.0.6   | 2022-07-13   | https://gitlab.com/oauth-xx/oauth2/-/blob/v2.0.6/README.md |
+| 2.0.5   | 2022-07-07   | https://gitlab.com/oauth-xx/oauth2/-/blob/v2.0.5/README.md |
+| 2.0.4   | 2022-07-01   | https://gitlab.com/oauth-xx/oauth2/-/blob/v2.0.4/README.md |
+| 2.0.3   | 2022-06-28   | https://gitlab.com/oauth-xx/oauth2/-/blob/v2.0.3/README.md |
+| 2.0.2   | 2022-06-24   | https://gitlab.com/oauth-xx/oauth2/-/blob/v2.0.2/README.md |
+| 2.0.1   | 2022-06-22   | https://gitlab.com/oauth-xx/oauth2/-/blob/v2.0.1/README.md |
+| 2.0.0   | 2022-06-21   | https://gitlab.com/oauth-xx/oauth2/-/blob/v2.0.0/README.md |
 </details>
 
 ### Older Releases
@@ -43,18 +49,20 @@ See the sibling `oauth` gem for OAuth 1.0 implementations in Ruby.
 <details>
   <summary>1.4.x Readmes</summary>
 
-| Version | Release Date | Readme                                                   |
-|---------|--------------|----------------------------------------------------------|
-| 1.4.9   | Feb 20, 2022 | https://github.com/oauth-xx/oauth2/blob/v1.4.9/README.md |
-| 1.4.8   | Feb 18, 2022 | https://github.com/oauth-xx/oauth2/blob/v1.4.8/README.md |
-| 1.4.7   | Mar 19, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.7/README.md |
-| 1.4.6   | Mar 19, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.6/README.md |
-| 1.4.5   | Mar 18, 2021 | https://github.com/oauth-xx/oauth2/blob/v1.4.5/README.md |
-| 1.4.4   | Feb 12, 2020 | https://github.com/oauth-xx/oauth2/blob/v1.4.4/README.md |
-| 1.4.3   | Jan 29, 2020 | https://github.com/oauth-xx/oauth2/blob/v1.4.3/README.md |
-| 1.4.2   | Oct 1, 2019  | https://github.com/oauth-xx/oauth2/blob/v1.4.2/README.md |
-| 1.4.1   | Oct 13, 2018 | https://github.com/oauth-xx/oauth2/blob/v1.4.1/README.md |
-| 1.4.0   | Jun 9, 2017  | https://github.com/oauth-xx/oauth2/blob/v1.4.0/README.md |
+| Version | Release Date | Readme                                                      |
+|---------|--------------|-------------------------------------------------------------|
+| 1.4.11  | Sep 16, 2022 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.11/README.md |
+| 1.4.10  | Jul 1, 2022  | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.10/README.md |
+| 1.4.9   | Feb 20, 2022 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.9/README.md  |
+| 1.4.8   | Feb 18, 2022 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.8/README.md  |
+| 1.4.7   | Mar 19, 2021 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.7/README.md  |
+| 1.4.6   | Mar 19, 2021 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.6/README.md  |
+| 1.4.5   | Mar 18, 2021 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.5/README.md  |
+| 1.4.4   | Feb 12, 2020 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.4/README.md  |
+| 1.4.3   | Jan 29, 2020 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.3/README.md  |
+| 1.4.2   | Oct 1, 2019  | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.2/README.md  |
+| 1.4.1   | Oct 13, 2018 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.1/README.md  |
+| 1.4.0   | Jun 9, 2017  | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.4.0/README.md  |
 </details>
 
 <details>
@@ -62,8 +70,8 @@ See the sibling `oauth` gem for OAuth 1.0 implementations in Ruby.
 
 | Version  | Release Date | Readme                                                   |
 |----------|--------------|----------------------------------------------------------|
-| 1.3.1    | Mar 3, 2017  | https://github.com/oauth-xx/oauth2/blob/v1.3.1/README.md |
-| 1.3.0    | Dec 27, 2016 | https://github.com/oauth-xx/oauth2/blob/v1.3.0/README.md |
+| 1.3.1    | Mar 3, 2017  | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.3.1/README.md |
+| 1.3.0    | Dec 27, 2016 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.3.0/README.md |
 </details>
 
 <details>
@@ -71,10 +79,10 @@ See the sibling `oauth` gem for OAuth 1.0 implementations in Ruby.
 
 | Version  | Release Date | Readme                                                   |
 |----------|--------------|----------------------------------------------------------|
-| 1.2.0    | Jun 30, 2016 | https://github.com/oauth-xx/oauth2/blob/v1.2.0/README.md |
-| 1.1.0    | Jan 30, 2016 | https://github.com/oauth-xx/oauth2/blob/v1.1.0/README.md |
-| 1.0.0    | May 23, 2014 | https://github.com/oauth-xx/oauth2/blob/v1.0.0/README.md |
-| < 1.0.0  | Find here    | https://github.com/oauth-xx/oauth2/tags                  |
+| 1.2.0    | Jun 30, 2016 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.2.0/README.md |
+| 1.1.0    | Jan 30, 2016 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.1.0/README.md |
+| 1.0.0    | May 23, 2014 | https://gitlab.com/oauth-xx/oauth2/-/blob/v1.0.0/README.md |
+| < 1.0.0  | Find here    | https://gitlab.com/oauth-xx/oauth2/-/tags                  |
 </details>
 
 ## Status
@@ -106,15 +114,15 @@ appended indicators:
 ♻️ - URL needs to be updated from SASS integration. Find / Replace is insufficient.
 -->
 
-|     | Project               | bundle add oauth2                                                                                                                                                                                                                                                                            |
-|:----|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 1️⃣ | name, license, docs   | [![RubyGems.org][⛳️name-img]][⛳️gem] [![License: MIT][🖇src-license-img]][🖇src-license] [![FOSSA][🏘fossa-img]][🏘fossa] [![RubyDoc.info][🚎yard-img]][🚎yard] [![InchCI][🖐inch-ci-img]][🚎yard]                                                                                           |
-| 2️⃣ | version & activity    | [![Gem Version][⛳️version-img]][⛳️gem] [![Total Downloads][🖇DL-total-img]][⛳️gem] [![Download Rank][🏘DL-rank-img]][⛳️gem] [![Source Code][🚎src-home-img]][🚎src-home] [![Open PRs][🖐prs-o-img]][🖐prs-o] [![Closed PRs][🧮prs-c-img]][🧮prs-c] [![Next Version][📗next-img♻️]][📗next♻️] |
-| 3️⃣ | maintanence & linting | [![Maintainability][⛳cclim-maint-img♻️]][⛳cclim-maint] [![Helpers][🖇triage-help-img]][🖇triage-help] [![Depfu][🏘depfu-img♻️]][🏘depfu♻️] [![Contributors][🚎contributors-img]][🚎contributors] [![Style][🖐style-wf-img]][🖐style-wf] [![Kloc Roll][🧮kloc-img]][🧮kloc]                   |
-| 4️⃣ | testing               | [![Open Issues][⛳iss-o-img]][⛳iss-o] [![Closed Issues][🖇iss-c-img]][🖇iss-c] [![Supported][🏘sup-wf-img]][🏘sup-wf] [![Heads][🚎heads-wf-img]][🚎heads-wf] [![Unofficial Support][🖐uns-wf-img]][🖐uns-wf] [![MacOS][🧮mac-wf-img]][🧮mac-wf] [![Windows][📗win-wf-img]][📗win-wf]          |
-| 5️⃣ | coverage & security   | [![CodeClimate][⛳cclim-cov-img♻️]][⛳cclim-cov] [![CodeCov][🖇codecov-img♻️]][🖇codecov] [![Coveralls][🏘coveralls-img]][🏘coveralls] [![Security Policy][🚎sec-pol-img]][🚎sec-pol] [![CodeQL][🖐codeQL-img]][🖐codeQL] [![Code Coverage][🧮cov-wf-img]][🧮cov-wf]                           |
-| 6️⃣ | resources             | [![Discussion][⛳gh-discussions-img]][⛳gh-discussions] [![Get help on Codementor][🖇codementor-img]][🖇codementor] [![Chat][🏘chat-img]][🏘chat] [![Blog][🚎blog-img]][🚎blog] [![Blog][🖐wiki-img]][🖐wiki]                                                                                  |
-| 7️⃣ | spread 💖             | [![Liberapay Patrons][⛳liberapay-img]][⛳liberapay] [![Sponsor Me][🖇sponsor-img]][🖇sponsor] [![Tweet @ Peter][🏘tweet-img]][🏘tweet] [🌏][aboutme] [👼][angelme] [💻][coderme]                                                                                                              |
+|     | Project               | bundle add oauth2                                                                                                                                                                                                                                                          |
+|:----|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| 1️⃣ | name, license, docs   | [![RubyGems.org][⛳️name-img]][⛳️gem] [![License: MIT][🖇src-license-img]][🖇src-license] [![FOSSA][🏘fossa-img]][🏘fossa] [![RubyDoc.info][🚎yard-img]][🚎yard] [![InchCI][🖐inch-ci-img]][🚎yard]                                                                         |
+| 2️⃣ | version & activity    | [![Gem Version][⛳️version-img]][⛳️gem] [![Total Downloads][🖇DL-total-img]][⛳️gem] [![Download Rank][🏘DL-rank-img]][⛳️gem] [![Source Code][🚎src-home-img]][🚎src-home]                                                                                                   |
+| 3️⃣ | maintanence & linting | [![Maintainability][⛳cclim-maint-img♻️]][⛳cclim-maint] [![Helpers][🖇triage-help-img]][🖇triage-help] [![Depfu][🏘depfu-img♻️]][🏘depfu♻️] [![Contributors][🚎contributors-img]][🚎contributors] [![Style][🖐style-wf-img]][🖐style-wf] [![Kloc Roll][🧮kloc-img]][🧮kloc] |
+| 4️⃣ | testing               | [![Supported][🏘sup-wf-img]][🏘sup-wf] [![Heads][🚎heads-wf-img]][🚎heads-wf] [![Unofficial Support][🖐uns-wf-img]][🖐uns-wf] [![MacOS][🧮mac-wf-img]][🧮mac-wf] [![Windows][📗win-wf-img]][📗win-wf]                                                                      |
+| 5️⃣ | coverage & security   | [![CodeClimate][⛳cclim-cov-img♻️]][⛳cclim-cov] [![CodeCov][🖇codecov-img♻️]][🖇codecov] [![Coveralls][🏘coveralls-img]][🏘coveralls] [![Security Policy][🚎sec-pol-img]][🚎sec-pol] [![CodeQL][🖐codeQL-img]][🖐codeQL] [![Code Coverage][🧮cov-wf-img]][🧮cov-wf]         |
+| 6️⃣ | resources             | [![Discussion][⛳gg-discussions-img]][⛳gg-discussions] [![Get help on Codementor][🖇codementor-img]][🖇codementor] [![Chat][🏘chat-img]][🏘chat] [![Blog][🚎blog-img]][🚎blog] [![Blog][🖐wiki-img]][🖐wiki]                                                                |
+| 7️⃣ | spread 💖             | [![Liberapay Patrons][⛳liberapay-img]][⛳liberapay] [![Sponsor Me][🖇sponsor-img]][🖇sponsor] [![Tweet @ Peter][🏘tweet-img]][🏘tweet] [🌏][aboutme] [👼][angelme] [💻][coderme]                                                                                            |
 
 <!--
 The link tokens in the following sections should be kept ordered by the row and badge numbering scheme
@@ -135,23 +143,17 @@ The link tokens in the following sections should be kept ordered by the row and
 [⛳️version-img]: http://img.shields.io/gem/v/oauth2.svg
 [🖇DL-total-img]: https://img.shields.io/gem/dt/oauth2.svg
 [🏘DL-rank-img]: https://img.shields.io/gem/rt/oauth2.svg
-[🚎src-home]: https://github.com/oauth-xx/oauth2
-[🚎src-home-img]: https://img.shields.io/badge/source-github-brightgreen.svg?style=flat
-[🖐prs-o]: https://github.com/oauth-xx/oauth2/pulls
-[🖐prs-o-img]: https://img.shields.io/github/issues-pr/oauth-xx/oauth2
-[🧮prs-c]: https://github.com/oauth-xx/oauth2/pulls?q=is%3Apr+is%3Aclosed
-[🧮prs-c-img]: https://img.shields.io/github/issues-pr-closed/oauth-xx/oauth2
-[📗next♻️]: https://github.com/oauth-xx/oauth2/milestone/15
-[📗next-img♻️]: https://img.shields.io/github/milestones/progress/oauth-xx/oauth2/15?label=Next%20Version
-
-<!-- 3️⃣ maintanence & linting -->
+[🚎src-home]: https://gitlab.com/oauth-xx/oauth2/
+[🚎src-home-img]: https://img.shields.io/badge/source-gitlab-blue.svg?style=flat
+
+<!-- 3️⃣ maintenance & linting -->
 [⛳cclim-maint]: https://codeclimate.com/github/oauth-xx/oauth2/maintainability
 [⛳cclim-maint-img♻️]: https://api.codeclimate.com/v1/badges/688c612528ff90a46955/maintainability
 [🖇triage-help]: https://www.codetriage.com/oauth-xx/oauth2
 [🖇triage-help-img]: https://www.codetriage.com/oauth-xx/oauth2/badges/users.svg
 [🏘depfu♻️]: https://depfu.com/github/oauth-xx/oauth2?project_id=4445
 [🏘depfu-img♻️]: https://badges.depfu.com/badges/6d34dc1ba682bbdf9ae2a97848241743/count.svg
-[🚎contributors]: https://github.com/oauth-xx/oauth2/graphs/contributors
+[🚎contributors]: https://gitlab.com/oauth-xx/oauth2/-/graphs/main
 [🚎contributors-img]: https://img.shields.io/github/contributors-anon/oauth-xx/oauth2
 [🖐style-wf]: https://github.com/oauth-xx/oauth2/actions/workflows/style.yml
 [🖐style-wf-img]: https://github.com/oauth-xx/oauth2/actions/workflows/style.yml/badge.svg
@@ -159,10 +161,6 @@ The link tokens in the following sections should be kept ordered by the row and
 [🧮kloc-img]: https://img.shields.io/tokei/lines/github.com/oauth-xx/oauth2
 
 <!-- 4️⃣ testing -->
-[⛳iss-o]: https://github.com/oauth-xx/oauth2/issues
-[⛳iss-o-img]: https://img.shields.io/github/issues-raw/oauth-xx/oauth2
-[🖇iss-c]: https://github.com/oauth-xx/oauth2/issues?q=is%3Aissue+is%3Aclosed
-[🖇iss-c-img]: https://img.shields.io/github/issues-closed-raw/oauth-xx/oauth2
 [🏘sup-wf]: https://github.com/oauth-xx/oauth2/actions/workflows/supported.yml
 [🏘sup-wf-img]: https://github.com/oauth-xx/oauth2/actions/workflows/supported.yml/badge.svg
 [🚎heads-wf]: https://github.com/oauth-xx/oauth2/actions/workflows/heads.yml
@@ -177,11 +175,11 @@ The link tokens in the following sections should be kept ordered by the row and
 <!-- 5️⃣ coverage & security -->
 [⛳cclim-cov]: https://codeclimate.com/github/oauth-xx/oauth2/test_coverage
 [⛳cclim-cov-img♻️]: https://api.codeclimate.com/v1/badges/688c612528ff90a46955/test_coverage
-[🖇codecov-img♻️]: https://codecov.io/gh/oauth-xx/oauth2/branch/master/graph/badge.svg?token=bNqSzNiuo2
+[🖇codecov-img♻️]: https://codecov.io/gh/oauth-xx/oauth2/branch/main/graph/badge.svg?token=bNqSzNiuo2
 [🖇codecov]: https://codecov.io/gh/oauth-xx/oauth2
-[🏘coveralls]: https://coveralls.io/github/oauth-xx/oauth2?branch=master
-[🏘coveralls-img]: https://coveralls.io/repos/github/oauth-xx/oauth2/badge.svg?branch=master
-[🚎sec-pol]: https://github.com/oauth-xx/oauth2/blob/master/SECURITY.md
+[🏘coveralls]: https://coveralls.io/github/oauth-xx/oauth2?branch=main
+[🏘coveralls-img]: https://coveralls.io/repos/github/oauth-xx/oauth2/badge.svg?branch=main
+[🚎sec-pol]: https://gitlab.com/oauth-xx/oauth2/-/blob/main/SECURITY.md
 [🚎sec-pol-img]: https://img.shields.io/badge/security-policy-brightgreen.svg?style=flat
 [🖐codeQL]: https://github.com/oauth-xx/oauth2/security/code-scanning
 [🖐codeQL-img]: https://github.com/oauth-xx/oauth2/actions/workflows/codeql-analysis.yml/badge.svg
@@ -189,15 +187,15 @@ The link tokens in the following sections should be kept ordered by the row and
 [🧮cov-wf-img]: https://github.com/oauth-xx/oauth2/actions/workflows/coverage.yml/badge.svg
 
 <!-- 6️⃣ resources -->
-[⛳gh-discussions]: https://github.com/oauth-xx/oauth2/discussions
-[⛳gh-discussions-img]: https://img.shields.io/github/discussions/oauth-xx/oauth2
+[⛳gg-discussions]: https://groups.google.com/g/oauth-ruby
+[⛳gg-discussions-img]: https://img.shields.io/badge/google-group-purple.svg?style=flat
 [🖇codementor]: https://www.codementor.io/peterboling?utm_source=github&utm_medium=button&utm_term=peterboling&utm_campaign=github
 [🖇codementor-img]: https://cdn.codementor.io/badges/get_help_github.svg
 [🏘chat]: https://gitter.im/oauth-xx/oauth2
 [🏘chat-img]: https://img.shields.io/gitter/room/oauth-xx/oauth2.svg
 [🚎blog]: http://www.railsbling.com/tags/oauth2/
 [🚎blog-img]: https://img.shields.io/badge/blog-railsbling-brightgreen.svg?style=flat
-[🖐wiki]: https://github.com/oauth-xx/oauth2/wiki
+[🖐wiki]: https://gitlab.com/oauth-xx/oauth2/-/wikis/home
 [🖐wiki-img]: https://img.shields.io/badge/wiki-examples-brightgreen.svg?style=flat
 
 <!-- 7️⃣ spread 💖 -->
@@ -229,7 +227,9 @@ If bundler is not being used to manage dependencies, install the gem by executin
 
 Available as part of the Tidelift Subscription.
 
-The maintainers of OAuth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-oauth2?utm_source=rubygems-oauth2&utm_medium=referral&utm_campaign=enterprise)
+The maintainers of OAuth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.][tidelift-ref]
+
+[tidelift-ref]: https://tidelift.com/subscription/pkg/rubygems-oauth2?utm_source=rubygems-oauth2&utm_medium=referral&utm_campaign=enterprise
 
 ## Security contact information
 
@@ -253,7 +253,13 @@ For more see [SECURITY.md][🚎sec-pol].
     - `:access_token_class` (`AccessToken`); user specified class to use for all calls to `get_token`
 - Adds new option to `OAuth2::AccessToken#initialize`:
     - `:expires_latency` (`nil`); number of seconds by which AccessToken validity will be reduced to offset latency
-- [... A lot more](https://github.com/oauth-xx/oauth2/blob/master/CHANGELOG.md#2.0.0)
+- By default, keys are transformed to camel case.
+  - Original keys will still work as previously, in most scenarios, thanks to `rash_alt` gem.
+  - However, this is a _breaking_ change if you rely on `response.parsed.to_h`, as the keys in the result will be camel case.
+  - As of version 2.0.4 you can turn key transformation off with the `snaky: false` option.
+- By default, the `:auth_scheme` is now `:basic_auth` (instead of `:request_body`)
+  - Third-party strategies and gems may need to be updated if a provider was requiring client id/secret in the request body
+- [... A lot more](https://gitlab.com/oauth-xx/oauth2/-/blob/main/CHANGELOG.md#2.0.0)
 
 ## Compatibility
 
@@ -268,8 +274,7 @@ This gem is tested against MRI, JRuby, and Truffleruby.
 Each of those has varying versions that target a specific version of MRI Ruby.
 This gem should work in the just-listed Ruby engines according to the targeted MRI compatibility in the table below.
 If you would like to add support for additional engines,
-  first make sure Github Actions supports the engine,
-  then submit a PR to the correct maintenance branch as according to the table below.
+  see `gemfiles/README.md`, then submit a PR to the correct maintenance branch as according to the table below.
 </details>
 
 <details>
@@ -289,17 +294,30 @@ fashion. If critical issues for a particular implementation exist at the time
 of a major release, support for that Ruby version may be dropped.
 </details>
 
-|     | Ruby OAuth 2 Version | Maintenance Branch | Supported Officially    | Supported Unofficially | Supported Incidentally |
-|:----|----------------------|--------------------|-------------------------|------------------------|------------------------|
-| 1️⃣ | 2.0.x                | `master`           | 2.7, 3.0, 3.1           | 2.5, 2.6               | 2.2, 2.3, 2.4          |
-| 2️⃣ | 1.4.x                | `1-4-stable`       | 2.5, 2.6, 2.7, 3.0, 3.1 | 2.1, 2.2, 2.3, 2.4     | 1.9, 2.0               |
-| 3️⃣ | older                | N/A                | Best of luck to you!    | Please upgrade!        |                        |
+|     | Ruby OAuth2 Version | Maintenance Branch | Supported Officially    | Supported Unofficially | Supported Incidentally |
+|:----|---------------------|--------------------|-------------------------|------------------------|------------------------|
+| 1️⃣ | 2.0.x               | `main`             | 2.7, 3.0, 3.1           | 2.5, 2.6               | 2.2, 2.3, 2.4          |
+| 2️⃣ | 1.4.x               | `1-4-stable`       | 2.5, 2.6, 2.7, 3.0, 3.1 | 2.1, 2.2, 2.3, 2.4     | 1.9, 2.0               |
+| 3️⃣ | older               | N/A                | Best of luck to you!    | Please upgrade!        |                        |
 
-NOTE: The 1.4 series will only receive critical bug and security updates.
+NOTE: The 1.4 series will only receive critical security updates.
 See [SECURITY.md][🚎sec-pol]
 
 ## Usage Examples
 
+### Global Configuration
+
+If you started seeing this warning, but everything it working fine, you can now silence it.
+```log
+OAuth2::AccessToken.from_hash: `hash` contained more than one 'token' key
+```
+
+```ruby
+OAuth2.configure do |config|
+  config.silence_extra_tokens_warning = true # default: false
+end
+```
+
 ### `authorize_url` and `token_url` are on site root (Just Works!)
 
 ```ruby
@@ -397,7 +415,7 @@ The `AccessToken` methods `#get`, `#post`, `#put` and `#delete` and the generic
 will return an instance of the #OAuth2::Response class.
 
 This instance contains a `#parsed` method that will parse the response body and
-return a Hash-like [`OAuth2::SnakyHash`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/snaky_hash.rb) if the `Content-Type` is `application/x-www-form-urlencoded` or if
+return a Hash-like [`OAuth2::SnakyHash`](https://gitlab.com/oauth-xx/oauth2/-/blob/main/lib/oauth2/snaky_hash.rb) if the `Content-Type` is `application/x-www-form-urlencoded` or if
 the body is a JSON object.  It will return an Array if the body is a JSON
 array.  Otherwise, it will return the original body string.
 
@@ -427,7 +445,11 @@ Response instance will contain the `OAuth2::Error` instance.
 
 Currently the Authorization Code, Implicit, Resource Owner Password Credentials, Client Credentials, and Assertion
 authentication grant types have helper strategy classes that simplify client
-use. They are available via the [`#auth_code`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/strategy/auth_code.rb), [`#implicit`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/strategy/implicit.rb), [`#password`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/strategy/password.rb), [`#client_credentials`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/strategy/client_credentials.rb), and [`#assertion`](https://github.com/oauth-xx/oauth2/blob/master/lib/oauth2/strategy/assertion.rb) methods respectively.
+use. They are available via the [`#auth_code`](https://gitlab.com/oauth-xx/oauth2/-/blob/main/lib/oauth2/strategy/auth_code.rb),
+[`#implicit`](https://gitlab.com/oauth-xx/oauth2/-/blob/main/lib/oauth2/strategy/implicit.rb),
+[`#password`](https://gitlab.com/oauth-xx/oauth2/-/blob/main/lib/oauth2/strategy/password.rb),
+[`#client_credentials`](https://gitlab.com/oauth-xx/oauth2/-/blob/main/lib/oauth2/strategy/client_credentials.rb), and
+[`#assertion`](https://gitlab.com/oauth-xx/oauth2/-/blob/main/lib/oauth2/strategy/assertion.rb) methods respectively.
 
 These aren't full examples, but demonstrative of the differences between usage for each strategy.
 ```ruby
@@ -499,8 +521,8 @@ spec.add_dependency 'oauth2', '~> 2.0'
 
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Foauth-xx%2Foauth2.svg?type=large)][fossa2]
 
-[license]: https://github.com/oauth-xx/oauth2/blob/master/LICENSE
-[oauth-xx]: https://github.com/oauth-xx
+[license]: https://gitlab.com/oauth-xx/oauth2/-/blob/main/LICENSE
+[oauth-xx]: https://gitlab.com/oauth-xx
 [fossa2]: https://app.fossa.io/projects/git%2Bgithub.com%2Foauth-xx%2Foauth2?ref=badge_large
 
 ## Development
@@ -513,14 +535,14 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 See [CONTRIBUTING.md][contributing]
 
-[contributing]: https://github.com/oauth-xx/oauth2/blob/main/CONTRIBUTING.md
+[contributing]: https://gitlab.com/oauth-xx/oauth2/-/blob/main/CONTRIBUTING.md
 
 ## Contributors
 
-[![Contributors](https://contrib.rocks/image?repo=oauth-xx/oauth2)]("https://github.com/oauth-xx/oauth2/graphs/contributors")
+[![Contributors](https://contrib.rocks/image?repo=oauth-xx/oauth2)]("https://gitlab.com/oauth-xx/oauth2/-/graphs/main")
 
 Made with [contributors-img](https://contrib.rocks).
 
 ## Code of Conduct
 
-Everyone interacting in the OAuth2 project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/oauth-xx/oauth2/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the OAuth2 project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://gitlab.com/oauth-xx/oauth2/-/blob/main/CODE_OF_CONDUCT.md).

data/SECURITY.md

@@ -2,11 +2,15 @@
 
 ## Supported Versions
 
-| Version  | Supported                 |
-|----------|---------------------------|
-| 2.latest | ✅                         |
-| 1.latest | ✅ (security updates only) |
-| older    | ⛔️                        |
+| Version  | Supported | EOL     | Post-EOL / Enterprise                 |
+|----------|-----------|---------|---------------------------------------|
+| 2.latest | ✅         | 04/2024 | [Tidelift Subscription][tidelift-ref] |
+| 1.latest | ✅         | 04/2023 | [Tidelift Subscription][tidelift-ref] |
+| <= 1     | ⛔         | ⛔       | ⛔                                     |
+
+### EOL Policy
+
+Non-commercial support for the oldest version of Ruby (which itself is going EOL) will be dropped each year in April.
 
 ## Reporting a Vulnerability
 
@@ -17,4 +21,6 @@ Tidelift will coordinate the fix and disclosure.
 
 Available as part of the Tidelift Subscription.
 
-The maintainers of oauth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.](https://tidelift.com/subscription/pkg/rubygems-oauth2?utm_source=rubygems-oauth2&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
+The maintainers of oauth2 and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. [Learn more.][tidelift-ref]
+
+[tidelift-ref]: https://tidelift.com/subscription/pkg/rubygems-oauth2?utm_source=rubygems-oauth2&utm_medium=referral&utm_campaign=enterprise&utm_term=repo

data/lib/oauth2/access_token.rb

@@ -2,18 +2,27 @@
 
 module OAuth2
   class AccessToken # rubocop:disable Metrics/ClassLength
+    TOKEN_KEYS_STR = %w[access_token id_token token accessToken idToken].freeze
+    TOKEN_KEYS_SYM = %i[access_token id_token token accessToken idToken].freeze
+    TOKEN_KEY_LOOKUP = TOKEN_KEYS_STR + TOKEN_KEYS_SYM
+
     attr_reader :client, :token, :expires_in, :expires_at, :expires_latency, :params
     attr_accessor :options, :refresh_token, :response
 
     class << self
       # Initializes an AccessToken from a Hash
       #
-      # @param client [Client] the OAuth2::Client instance
-      # @param hash [Hash] a hash of AccessToken property values
+      # @param [Client] client the OAuth2::Client instance
+      # @param [Hash] hash a hash of AccessToken property values
+      # @option hash [String, Symbol] 'access_token', 'id_token', 'token', :access_token, :id_token, or :token the access token
       # @return [AccessToken] the initialized AccessToken
       def from_hash(client, hash)
-        hash = hash.dup
-        new(client, hash.delete('access_token') || hash.delete(:access_token) || hash.delete('token') || hash.delete(:token), hash)
+        fresh = hash.dup
+        supported_keys = TOKEN_KEY_LOOKUP & fresh.keys
+        key = supported_keys[0]
+        extra_tokens_warning(supported_keys, key)
+        token = fresh.delete(key)
+        new(client, token, fresh)
       end
 
       # Initializes an AccessToken from a key/value application/x-www-form-urlencoded string
@@ -25,15 +34,21 @@ module OAuth2
         from_hash(client, Rack::Utils.parse_query(kvform))
       end
 
-      def contains_token?(hash)
-        hash.key?('access_token') || hash.key?('id_token') || hash.key?('token')
+    private
+
+      # Having too many is sus, and may lead to bugs. Having none is fine (e.g. refresh flow doesn't need a token).
+      def extra_tokens_warning(supported_keys, key)
+        return if OAuth2.config.silence_extra_tokens_warning
+        return if supported_keys.length <= 1
+
+        warn("OAuth2::AccessToken.from_hash: `hash` contained more than one 'token' key (#{supported_keys}); using #{key.inspect}.")
       end
     end
 
     # Initialize an AccessToken
     #
     # @param [Client] client the OAuth2::Client instance
-    # @param [String] token the Access Token value
+    # @param [String] token the Access Token value (optional, may not be used in refresh flows)
     # @param [Hash] opts the options to create the Access Token with
     # @option opts [String] :refresh_token (nil) the refresh_token value
     # @option opts [FixNum, String] :expires_in (nil) the number of seconds in which the AccessToken will expire
@@ -47,10 +62,21 @@ module OAuth2
     def initialize(client, token, opts = {})
       @client = client
       @token = token.to_s
+
       opts = opts.dup
       %i[refresh_token expires_in expires_at expires_latency].each do |arg|
         instance_variable_set("@#{arg}", opts.delete(arg) || opts.delete(arg.to_s))
       end
+      no_tokens = (@token.nil? || @token.empty?) && (@refresh_token.nil? || @refresh_token.empty?)
+      if no_tokens
+        if @client.options[:raise_errors]
+          error = Error.new(opts)
+          raise(error)
+        else
+          warn('OAuth2::AccessToken has no token')
+        end
+      end
+      # @option opts [Fixnum, String] :expires is deprecated
       @expires_in ||= opts.delete('expires')
       @expires_in &&= @expires_in.to_i
       @expires_at &&= convert_expires_at(@expires_at)
@@ -95,7 +121,11 @@ module OAuth2
       params[:refresh_token] = refresh_token
       new_token = @client.get_token(params, access_token_opts)
       new_token.options = options
-      new_token.refresh_token = refresh_token unless new_token.refresh_token
+      if new_token.refresh_token
+        # Keep it, if there is one
+      else
+        new_token.refresh_token = refresh_token
+      end
       new_token
     end
     # A compatibility alias

data/lib/oauth2/client.rb

@@ -9,7 +9,7 @@ module OAuth2
 
   # The OAuth2::Client class
   class Client # rubocop:disable Metrics/ClassLength
-    RESERVED_PARAM_KEYS = %w[headers parse].freeze
+    RESERVED_PARAM_KEYS = %w[body headers params parse snaky].freeze
 
     attr_reader :id, :secret, :site
     attr_accessor :options
@@ -108,7 +108,7 @@ module OAuth2
     # @option opts [Boolean] :raise_errors whether or not to raise an OAuth2::Error on 400+ status
     #   code response for this request.  Will default to client option
     # @option opts [Symbol] :parse @see Response::initialize
-    # @option opts [Symbol] :snaky @see Response::initialize
+    # @option opts [true, false] :snaky (true) @see Response::initialize
     # @yield [req] @see Faraday::Connection#run_request
     def request(verb, url, opts = {}, &block)
       response = execute_request(verb, url, opts, &block)
@@ -149,7 +149,7 @@ module OAuth2
     #
     # @param params [Hash] a Hash of params for the token endpoint, except:
     #   @option params [Symbol] :parse @see Response#initialize
-    #   @option params [true, false] :snaky @see Response#initialize
+    #   @option params [true, false] :snaky (true) @see Response#initialize
     # @param access_token_opts [Hash] access token options, to pass to the AccessToken object
     # @param extract_access_token [Proc] proc that extracts the access token from the response (DEPRECATED)
     # @yield [req] @see Faraday::Connection#run_request
@@ -157,44 +157,50 @@ module OAuth2
     def get_token(params, access_token_opts = {}, extract_access_token = nil, &block)
       warn('OAuth2::Client#get_token argument `extract_access_token` will be removed in oauth2 v3. Refactor to use `access_token_class` on #initialize.') if extract_access_token
       extract_access_token ||= options[:extract_access_token]
-      params = params.map do |key, value|
-        if RESERVED_PARAM_KEYS.include?(key)
-          [key.to_sym, value]
-        else
-          [key, value]
-        end
-      end.to_h
+      parse, snaky, params, headers = parse_snaky_params_headers(params)
 
       request_opts = {
         raise_errors: options[:raise_errors],
-        parse: params.delete(:parse),
-        snaky: params.delete(:snaky),
+        parse: parse,
+        snaky: snaky,
       }
-
-      params = authenticator.apply(params)
-      headers = params.delete(:headers) || {}
       if options[:token_method] == :post
-        request_opts[:body] = params
+
+        # NOTE: If proliferation of request types continues we should implement a parser solution for Request,
+        #       just like we have with Response.
+        request_opts[:body] = if headers['Content-Type'] == 'application/json'
+                                params.to_json
+                              else
+                                params
+                              end
+
         request_opts[:headers] = {'Content-Type' => 'application/x-www-form-urlencoded'}
       else
         request_opts[:params] = params
         request_opts[:headers] = {}
       end
       request_opts[:headers].merge!(headers)
-      http_method = options[:token_method]
-      http_method = :post if http_method == :post_with_query_string
       response = request(http_method, token_url, request_opts, &block)
 
       # In v1.4.x, the deprecated extract_access_token option retrieves the token from the response.
       # We preserve this behavior here, but a custom access_token_class that implements #from_hash
       # should be used instead.
       if extract_access_token
-        parse_response_with_legacy_extract(response, access_token_opts, extract_access_token)
+        parse_response_legacy(response, access_token_opts, extract_access_token)
       else
         parse_response(response, access_token_opts)
       end
     end
 
+    # The HTTP Method of the request
+    # @return [Symbol] HTTP verb, one of :get, :post, :put, :delete
+    def http_method
+      http_meth = options[:token_method].to_sym
+      return :post if http_meth == :post_with_query_string
+
+      http_meth
+    end
+
     # The Authorization Code strategy
     #
     # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.1
@@ -253,6 +259,22 @@ module OAuth2
 
   private
 
+    def parse_snaky_params_headers(params)
+      params = params.map do |key, value|
+        if RESERVED_PARAM_KEYS.include?(key)
+          [key.to_sym, value]
+        else
+          [key, value]
+        end
+      end.to_h
+      parse = params.key?(:parse) ? params.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
+      snaky = params.key?(:snaky) ? params.delete(:snaky) : Response::DEFAULT_OPTIONS[:snaky]
+      params = authenticator.apply(params)
+      # authenticator may add :headers, and we remove them here
+      headers = params.delete(:headers) || {}
+      [parse, snaky, params, headers]
+    end
+
     def execute_request(verb, url, opts = {})
       url = connection.build_url(url).to_s
 
@@ -267,7 +289,10 @@ module OAuth2
         raise TimeoutError, e
       end
 
-      Response.new(response, parse: opts[:parse], snaky: opts[:snaky])
+      parse = opts.key?(:parse) ? opts.delete(:parse) : Response::DEFAULT_OPTIONS[:parse]
+      snaky = opts.key?(:snaky) ? opts.delete(:snaky) : Response::DEFAULT_OPTIONS[:snaky]
+
+      Response.new(response, parse: parse, snaky: snaky)
     end
 
     # Returns the authenticator object
@@ -277,8 +302,8 @@ module OAuth2
       Authenticator.new(id, secret, options[:auth_scheme])
     end
 
-    def parse_response_with_legacy_extract(response, access_token_opts, extract_access_token)
-      access_token = build_access_token_legacy_extract(response, access_token_opts, extract_access_token)
+    def parse_response_legacy(response, access_token_opts, extract_access_token)
+      access_token = build_access_token_legacy(response, access_token_opts, extract_access_token)
 
       return access_token if access_token
 
@@ -294,7 +319,7 @@ module OAuth2
       access_token_class = options[:access_token_class]
       data = response.parsed
 
-      unless data.is_a?(Hash) && access_token_class.contains_token?(data)
+      unless data.is_a?(Hash) && !data.empty?
         return unless options[:raise_errors]
 
         error = Error.new(response)
@@ -316,7 +341,7 @@ module OAuth2
     # Builds the access token from the response of the HTTP call with legacy extract_access_token
     #
     # @return [AccessToken] the initialized AccessToken
-    def build_access_token_legacy_extract(response, access_token_opts, extract_access_token)
+    def build_access_token_legacy(response, access_token_opts, extract_access_token)
       extract_access_token.call(self, response.parsed.merge(access_token_opts))
     rescue StandardError
       nil