signet 0.5.0 → 0.5.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: a90553898c900b623be7bcd66492052606823e88
+  data.tar.gz: 79d812b9a1bf1c00a548b48a5434dd8a3f40cb39
+SHA512:
+  metadata.gz: b41031268b8c1e10cea6cc132edcb85954c398927ecd7c364c401fab64930758c47a87d4ffb4b1c196f6c6e9dedd3a2cf893d939910440649f560c39555b0546
+  data.tar.gz: be0549ccf4f39e5d7d0a67b209884c798bfcec5bda4618a27e6e96579cec21ff54d76f08c64cf606925cf9c04015c72c678f3066b3cfa75daf60648ae8bb6c29

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+# 0.5.1
+
+* Allow Hash objects to be used to initialize authorization URI
+* Added PLAINTEXT and RSA-SHA1 signature methods to OAuth 1 support
+* Added client object serialization
+* The `approval_prompt` option no longer defaults to `:force`
+* The `approval_prompt` and `prompt` are now mutually exclusive.
+
+# 0.5.0
+
+* Switched to faraday 0.9.0
+* Added `expires_at` option
+
 # 0.4.5
 
 * Minor documentation fixes

data/Rakefile

@@ -26,7 +26,7 @@ PKG_FILES = FileList[
     "lib/**/*", "spec/**/*", "vendor/**/*",
     "tasks/**/*", "website/**/*",
     "[A-Z]*", "Rakefile"
-].exclude(/database\.yml/).exclude(/[_\.]git$/)
+].exclude(/database\.yml/).exclude(/[_\.]git$/).exclude(/Gemfile\.lock/)
 
 RCOV_ENABLED = !!(RUBY_PLATFORM != 'java' && RUBY_VERSION =~ /^1\.8/)
 if RCOV_ENABLED

data/lib/compat/base64.rb

@@ -0,0 +1,7 @@
+require 'base64'
+# Backport from ruby-1.9 to ruby-1.8
+unless Base64.respond_to?(:strict_encode64)
+  def Base64.strict_encode64(str)
+    Base64.encode64(str).gsub("\n", "")
+  end
+end

data/lib/signet/oauth_1.rb

@@ -69,27 +69,27 @@ module Signet #:nodoc:
     #
     # @return [String] The credential key value.
     def self.extract_credential_key_option(credential_type, options)
-      credential_key_symbol =
-        ("#{credential_type}_credential_key").to_sym
-      credential_symbol =
-        ("#{credential_type}_credential").to_sym
-      if options[credential_key_symbol]
-        credential_key = options[credential_key_symbol]
-      elsif options[credential_symbol]
+      # Normalize key to String to allow indifferent access.
+      options = options.inject({}) { |accu, (k, v)| accu[k.to_s] = v; accu }
+      credential_key = "#{credential_type}_credential_key"
+      credential = "#{credential_type}_credential"
+      if options[credential_key]
+        credential_key = options[credential_key]
+      elsif options[credential]
         require 'signet/oauth_1/credential'
-        if !options[credential_symbol].respond_to?(:key)
+        if !options[credential].respond_to?(:key)
           raise TypeError,
             "Expected Signet::OAuth1::Credential, " +
-            "got #{options[credential_symbol].class}."
+            "got #{options[credential].class}."
         end
-        credential_key = options[credential_symbol].key
-      elsif options[:client]
+        credential_key = options[credential].key
+      elsif options["client"]
         require 'signet/oauth_1/client'
-        if !options[:client].kind_of?(::Signet::OAuth1::Client)
+        if !options["client"].kind_of?(::Signet::OAuth1::Client)
           raise TypeError,
-            "Expected Signet::OAuth1::Client, got #{options[:client].class}."
+            "Expected Signet::OAuth1::Client, got #{options["client"].class}."
         end
-        credential_key = options[:client].send(credential_key_symbol)
+        credential_key = options["client"].send(credential_key)
       else
         credential_key = nil
       end
@@ -111,27 +111,27 @@ module Signet #:nodoc:
     #
     # @return [String] The credential secret value.
     def self.extract_credential_secret_option(credential_type, options)
-      credential_secret_symbol =
-        ("#{credential_type}_credential_secret").to_sym
-      credential_symbol =
-        ("#{credential_type}_credential").to_sym
-      if options[credential_secret_symbol]
-        credential_secret = options[credential_secret_symbol]
-      elsif options[credential_symbol]
+      # Normalize key to String to allow indifferent access.
+      options = options.inject({}) { |accu, (k, v)| accu[k.to_s] = v; accu }
+      credential_secret = "#{credential_type}_credential_secret"
+      credential = "#{credential_type}_credential"
+      if options[credential_secret]
+        credential_secret = options[credential_secret]
+      elsif options[credential]
         require 'signet/oauth_1/credential'
-        if !options[credential_symbol].respond_to?(:secret)
+        if !options[credential].respond_to?(:secret)
           raise TypeError,
             "Expected Signet::OAuth1::Credential, " +
-            "got #{options[credential_symbol].class}."
+            "got #{options[credential].class}."
         end
-        credential_secret = options[credential_symbol].secret
-      elsif options[:client]
+        credential_secret = options[credential].secret
+      elsif options["client"]
         require 'signet/oauth_1/client'
-        if !options[:client].kind_of?(::Signet::OAuth1::Client)
+        if !options["client"].kind_of?(::Signet::OAuth1::Client)
           raise TypeError,
-            "Expected Signet::OAuth1::Client, got #{options[:client].class}."
+            "Expected Signet::OAuth1::Client, got #{options["client"].class}."
         end
-        credential_secret = options[:client].send(credential_secret_symbol)
+        credential_secret = options["client"].send(credential_secret)
       else
         credential_secret = nil
       end
@@ -295,6 +295,16 @@ module Signet #:nodoc:
         return Signet::OAuth1::HMACSHA1.generate_signature(
           base_string, client_credential_secret, token_credential_secret
         )
+      when 'RSA-SHA1'
+        require 'signet/oauth_1/signature_methods/rsa_sha1'
+        return Signet::OAuth1::RSASHA1.generate_signature(
+          base_string, client_credential_secret, token_credential_secret
+        )
+      when 'PLAINTEXT'
+        require 'signet/oauth_1/signature_methods/plaintext'
+        return Signet::OAuth1::PLAINTEXT.generate_signature(
+          base_string, client_credential_secret, token_credential_secret
+        )
       else
         raise NotImplementedError,
           "Unsupported signature method: #{signature_method}"

data/lib/signet/oauth_1/client.rb

@@ -54,25 +54,62 @@ module Signet
       #     :client_credential_secret => 'anonymous'
       #   )
       def initialize(options={})
-        self.temporary_credential_uri = options[:temporary_credential_uri]
-        self.authorization_uri = options[:authorization_uri]
-        self.token_credential_uri = options[:token_credential_uri]
+        self.update!(options)
+      end
+
+      ##
+      # Updates an OAuth 1.0 client.
+      #
+      # @param [Hash] options
+      #   The configuration parameters for the client.
+      #   - <code>:temporary_credential_uri</code> -
+      #     The OAuth temporary credentials URI.
+      #   - <code>:authorization_uri</code> -
+      #     The OAuth authorization URI.
+      #   - <code>:token_credential_uri</code> -
+      #     The OAuth token credentials URI.
+      #   - <code>:client_credential_key</code> -
+      #     The OAuth client credential key.
+      #   - <code>:client_credential_secret</code> -
+      #     The OAuth client credential secret.
+      #   - <code>:callback</code> -  The OAuth callback.  Defaults to 'oob'.
+      #
+      # @example
+      #   client.update!(
+      #     :temporary_credential_uri =>
+      #       'https://www.google.com/accounts/OAuthGetRequestToken',
+      #     :authorization_uri =>
+      #       'https://www.google.com/accounts/OAuthAuthorizeToken',
+      #     :token_credential_uri =>
+      #       'https://www.google.com/accounts/OAuthGetAccessToken',
+      #     :client_credential_key => 'anonymous',
+      #     :client_credential_secret => 'anonymous'
+      #   )
+      #
+      # @see Signet::OAuth1::Client#initialize
+      def update!(options={})
+        # Normalize key to String to allow indifferent access.
+        options = options.inject({}) { |accu, (k, v)| accu[k.to_s] = v; accu }
+        self.temporary_credential_uri = options["temporary_credential_uri"]
+        self.authorization_uri = options["authorization_uri"]
+        self.token_credential_uri = options["token_credential_uri"]
         # Technically... this would allow you to pass in a :client key...
         # But that would be weird.  Don't do that.
         self.client_credential_key =
-          Signet::OAuth1.extract_credential_key_option(:client, options)
+          Signet::OAuth1.extract_credential_key_option("client", options)
         self.client_credential_secret =
-          Signet::OAuth1.extract_credential_secret_option(:client, options)
+          Signet::OAuth1.extract_credential_secret_option("client", options)
         self.temporary_credential_key =
-          Signet::OAuth1.extract_credential_key_option(:temporary, options)
+          Signet::OAuth1.extract_credential_key_option("temporary", options)
         self.temporary_credential_secret =
-          Signet::OAuth1.extract_credential_secret_option(:temporary, options)
+          Signet::OAuth1.extract_credential_secret_option("temporary", options)
         self.token_credential_key =
-          Signet::OAuth1.extract_credential_key_option(:token, options)
+          Signet::OAuth1.extract_credential_key_option("token", options)
         self.token_credential_secret =
-          Signet::OAuth1.extract_credential_secret_option(:token, options)
-        self.callback = options[:callback]
-        self.two_legged = options[:two_legged] || false
+          Signet::OAuth1.extract_credential_secret_option("token", options)
+        self.callback = options["callback"]
+        self.two_legged = options["two_legged"] || false
+        return self
       end
 
       ##
@@ -127,8 +164,10 @@ module Signet
       #   The authorization URI.
       def authorization_uri=(new_authorization_uri)
         if new_authorization_uri != nil
-          new_authorization_uri =
-            Addressable::URI.parse(new_authorization_uri)
+          new_authorization_uri = Addressable::URI.send(
+            new_authorization_uri.kind_of?(Hash) ? :new : :parse,
+            new_authorization_uri
+          )
           @authorization_uri = new_authorization_uri
         else
           @authorization_uri = nil
@@ -147,12 +186,14 @@ module Signet
       ##
       # Sets the token credential URI for this client.
       #
-      # @param [Addressable::URI, String, #to_str] new_token_credential_uri
+      # @param [Addressable::URI, Hash, String, #to_str] new_token_credential_uri
       #   The token credential URI.
       def token_credential_uri=(new_token_credential_uri)
         if new_token_credential_uri != nil
-          new_token_credential_uri =
-            Addressable::URI.parse(new_token_credential_uri)
+          new_token_credential_uri = Addressable::URI.send(
+            new_token_credential_uri.kind_of?(Hash) ? :new : :parse,
+            new_token_credential_uri
+          )
           @token_credential_uri = new_token_credential_uri
         else
           @token_credential_uri = nil
@@ -509,6 +550,28 @@ module Signet
         end
       end
 
+      ##
+      # Serialize the client object to JSON.
+      #
+      # @note A serialized client contains sensitive information. Persist or transmit with care.
+      #
+      # @return [String] A serialized JSON representation of the client.
+      def to_json
+        return MultiJson.dump({
+          'temporary_credential_uri' => self.temporary_credential_uri,
+          'authorization_uri' => self.authorization_uri,
+          'token_credential_uri' => self.token_credential_uri,
+          'callback' => self.callback,
+          'two_legged' => self.two_legged,
+          'client_credential_key' => self.client_credential_key,
+          'client_credential_secret' => self.client_credential_secret,
+          'temporary_credential_key' => self.temporary_credential_key,
+          'temporary_credential_secret' => self.temporary_credential_secret,
+          'token_credential_key' => self.token_credential_key,
+          'token_credential_secret' => self.token_credential_secret
+        })
+      end
+
       ##
       # Generates a request for temporary credentials.
       #
@@ -859,7 +922,7 @@ module Signet
           :realm => nil,
           :connection => Faraday.default_connection
         }.merge(options)
-        
+
         if options[:request].kind_of?(Faraday::Request)
           request = options[:request]
         else
@@ -902,16 +965,16 @@ module Signet
             req.body = body
           end
         end
-        
+
         parameters = ::Signet::OAuth1.unsigned_resource_parameters(
           :client_credential_key => self.client_credential_key,
           :token_credential_key => self.token_credential_key,
           :signature_method => options[:signature_method],
           :two_legged => self.two_legged
         )
-        
+
         env = request.to_env(options[:connection])
-        
+
         content_type = request['Content-Type'].to_s
         content_type = content_type.split(';', 2).first if content_type.index(';')
         if request.method == :post && content_type == 'application/x-www-form-urlencoded'
@@ -923,7 +986,7 @@ module Signet
           post_parameters = Addressable::URI.form_unencode(env[:body])
           parameters = parameters.concat(post_parameters)
         end
-        
+
         # No need to attach URI query parameters, the .sign_parameters
         # method takes care of that automatically.
         signature = ::Signet::OAuth1.sign_parameters(
@@ -933,7 +996,7 @@ module Signet
           self.client_credential_secret,
           self.token_credential_secret
         )
-        
+
         parameters << ['oauth_signature', signature]
         request['Authorization'] =  ::Signet::OAuth1.generate_authorization_header(
             parameters, options[:realm])

data/lib/signet/oauth_1/signature_methods/plaintext.rb

@@ -0,0 +1,21 @@
+require 'signet'
+
+module Signet #:nodoc:
+  module OAuth1
+    module PLAINTEXT
+      def self.generate_signature(
+          base_string, client_credential_secret, token_credential_secret)
+        # Both the client secret and token secret must be escaped
+        client_credential_secret =
+            Signet::OAuth1.encode(client_credential_secret)
+        token_credential_secret =
+            Signet::OAuth1.encode(token_credential_secret)
+        # The key for the signature is just the client secret and token
+        # secret joined by the '&' character.  If the token secret is omitted,
+        # the '&' must still be present.
+        key = [client_credential_secret, token_credential_secret].join("&")
+        return Signet::OAuth1.encode(key).strip
+      end
+    end
+  end
+end

data/lib/signet/oauth_1/signature_methods/rsa_sha1.rb

@@ -0,0 +1,21 @@
+require 'digest/sha1'
+require 'base64'
+require 'openssl'
+require 'signet'
+require 'compat/base64'
+
+module Signet #:nodoc:
+  module OAuth1
+    module RSASHA1
+      def self.generate_signature(
+          base_string, client_credential_secret, token_credential_secret)
+
+        private_key = OpenSSL::PKey::RSA.new(client_credential_secret)
+        signature = private_key.sign(OpenSSL::Digest::SHA1.new, base_string)
+        #using strict_encode64 because the encode64 method adds newline characters after ever 60 chars
+        return Base64.strict_encode64(signature).strip
+      end
+
+    end
+  end
+end

data/lib/signet/oauth_2/client.rb

@@ -140,7 +140,7 @@ module Signet
       #   - <code>:id_token</code> -
       #     The current ID token for this client.
       #   - <code>:extension_parameters</code> -
-      #     When using an extension grant type, this the set of parameters used
+      #     When using an extension grant type, this is the set of parameters used
       #     by that extension.
       #
       # @example
@@ -155,22 +155,24 @@ module Signet
       def update!(options={})
         # Normalize key to String to allow indifferent access.
         options = options.inject({}) { |accu, (k, v)| accu[k.to_s] = v; accu }
-        self.authorization_uri = options["authorization_uri"]
-        self.token_credential_uri = options["token_credential_uri"]
-        self.client_id = options["client_id"]
-        self.client_secret = options["client_secret"]
-        self.scope = options["scope"]
-        self.state = options["state"]
-        self.code = options["code"]
-        self.redirect_uri = options["redirect_uri"]
-        self.username = options["username"]
-        self.password = options["password"]
-        self.issuer = options["issuer"]
-        self.person = options["person"]
+        self.authorization_uri = options["authorization_uri"] if options.has_key?("authorization_uri")
+        self.token_credential_uri = options["token_credential_uri"] if options.has_key?("token_credential_uri")
+        self.client_id = options["client_id"] if options.has_key?("client_id")
+        self.client_secret = options["client_secret"] if options.has_key?("client_secret")
+        self.scope = options["scope"] if options.has_key?("scope")
+        self.state = options["state"] if options.has_key?("state")
+        self.code = options["code"] if options.has_key?("code")
+        self.redirect_uri = options["redirect_uri"] if options.has_key?("redirect_uri")
+        self.username = options["username"] if options.has_key?("username")
+        self.password = options["password"] if options.has_key?("password")
+        self.issuer = options["issuer"] if options.has_key?("issuer")
+        self.person = options["person"] if options.has_key?("person")
+        self.sub = options["sub"] if options.has_key?("sub")
         self.expiry = options["expiry"] || 60
-        self.audience = options["audience"]
-        self.signing_key = options["signing_key"]
+        self.audience = options["audience"] if options.has_key?("audience")
+        self.signing_key = options["signing_key"] if options.has_key?("signing_key")
         self.extension_parameters = options["extension_parameters"] || {}
+        self.additional_parameters = options["additional_parameters"] || {}
         self.update_token!(options)
         return self
       end
@@ -207,25 +209,16 @@ module Signet
         # Normalize key to String to allow indifferent access.
         options = options.inject({}) { |accu, (k, v)| accu[k.to_s] = v; accu }
 
-        self.access_token = options["access_token"] if options["access_token"]
-        self.expires_in = options["expires_in"] if options["expires_in"]
-        self.expires_at = options["expires_at"] if options["expires_at"]
+        self.expires_in = options["expires_in"] if options.has_key?("expires_in")
+        self.expires_at = options["expires_at"] if options.has_key?("expires_at")
 
-        # The refresh token may not be returned in a token response.
-        # In which case, the old one should continue to be used.
-        if options["refresh_token"]
-          self.refresh_token = options["refresh_token"]
-        end
-        # The ID token may not be returned in a token response.
-        # In which case, the old one should continue to be used.
-        if options["id_token"]
-          self.id_token = options["id_token"]
-        end
         # By default, the token is issued at `Time.now` when `expires_in` is
         # set, but this can be used to supply a more precise time.
-        if options["issued_at"]
-          self.issued_at = options["issued_at"]
-        end
+        self.issued_at = options["issued_at"] if options.has_key?("issued_at")
+
+        self.access_token = options["access_token"] if options.has_key?("access_token")
+        self.refresh_token = options["refresh_token"] if options.has_key?("refresh_token")
+        self.id_token = options["id_token"] if options.has_key?("id_token")
 
         return self
       end
@@ -244,12 +237,11 @@ module Signet
         unless options[:access_type]
           options[:access_type] = :offline
         end
-        unless options[:approval_prompt]
-          # This default will likely change in the future.
-          options[:approval_prompt] = :force
-        end
         options[:client_id] ||= self.client_id
         options[:redirect_uri] ||= self.redirect_uri
+        if options[:prompt] && options[:approval_prompt]
+          raise ArgumentError, "prompt and approval_prompt are mutually exclusive parameters"
+        end
         if !options[:client_id]
           raise ArgumentError, "Missing required client identifier."
         end
@@ -260,6 +252,8 @@ module Signet
           options[:scope] = self.scope.join(' ')
         end
         options[:state] = self.state unless options[:state]
+        options.merge!(self.additional_parameters.merge(options[:additional_parameters] || {}))
+        options.delete(:additional_parameters)
         uri = Addressable::URI.parse(
           ::Signet::OAuth2.generate_authorization_uri(
             @authorization_uri, options
@@ -275,12 +269,14 @@ module Signet
       ##
       # Sets the authorization URI for this client.
       #
-      # @param [Addressable::URI, String, #to_str] new_authorization_uri
+      # @param [Addressable::URI, Hash, String, #to_str] new_authorization_uri
       #   The authorization URI.
       def authorization_uri=(new_authorization_uri)
         if new_authorization_uri != nil
-          new_authorization_uri =
-            Addressable::URI.parse(new_authorization_uri)
+          new_authorization_uri = Addressable::URI.send(
+            new_authorization_uri.kind_of?(Hash) ? :new : :parse,
+            new_authorization_uri
+          )
           @authorization_uri = new_authorization_uri
         else
           @authorization_uri = nil
@@ -298,12 +294,14 @@ module Signet
       ##
       # Sets the token credential URI for this client.
       #
-      # @param [Addressable::URI, String, #to_str] new_token_credential_uri
+      # @param [Addressable::URI, Hash, String, #to_str] new_token_credential_uri
       #   The token credential URI.
       def token_credential_uri=(new_token_credential_uri)
         if new_token_credential_uri != nil
-          new_token_credential_uri =
-            Addressable::URI.parse(new_token_credential_uri)
+          new_token_credential_uri = Addressable::URI.send(
+            new_token_credential_uri.kind_of?(Hash) ? :new : :parse,
+            new_token_credential_uri
+          )
           @token_credential_uri = new_token_credential_uri
         else
           @token_credential_uri = nil
@@ -430,8 +428,8 @@ module Signet
       #   The redirect URI.
       def redirect_uri=(new_redirect_uri)
         new_redirect_uri = Addressable::URI.parse(new_redirect_uri)
-        #TODO - Better solution to allow google postmessage flow. For now, make an exception to the spec. 
-        if new_redirect_uri == nil|| new_redirect_uri.absolute? || uri_is_postmessage?(new_redirect_uri)
+        #TODO - Better solution to allow google postmessage flow. For now, make an exception to the spec.
+        if new_redirect_uri == nil|| new_redirect_uri.absolute? || uri_is_postmessage?(new_redirect_uri) || uri_is_oob?(new_redirect_uri)
           @redirect_uri = new_redirect_uri
         else
           raise ArgumentError, "Redirect URI must be an absolute URI."
@@ -532,10 +530,16 @@ module Signet
       def principal=(new_person)
         @principal = new_person
       end
-      
+
       alias_method :person, :principal
       alias_method :person=, :principal=
-      
+
+      ##
+      # The target "sub" when issuing assertions.
+      # Used in some Admin SDK APIs.
+      #
+      attr_accessor :sub
+
       ##
       # Returns the number of seconds assertions are valid for
       # Used only by the assertion grant type.
@@ -554,8 +558,8 @@ module Signet
       def expiry=(new_expiry)
         @expiry = new_expiry
       end
-      
-      
+
+
       ##
       # Returns the signing key associated with this client.
       # Used only by the assertion grant type.
@@ -574,14 +578,14 @@ module Signet
       def signing_key=(new_key)
         @signing_key = new_key
       end
-      
+
       ##
       # Algorithm used for signing JWTs
       # @return [String] Signing algorithm
       def signing_algorithm
         self.signing_key.is_a?(String) ? "HS256" : "RS256"
       end
-      
+
       ##
       # Returns the set of extension parameters used by the client.
       # Used only by extension access grant types.
@@ -606,6 +610,28 @@ module Signet
         end
       end
 
+      ##
+      # Returns the set of additional (non standard) parameters to be used by the client.
+      #
+      # @return [Hash] The pass through parameters.
+      def additional_parameters
+        return @additional_parameters ||= {}
+      end
+
+      ##
+      # Sets additional (non standard) parameters to be used by the client.
+      #
+      # @param [Hash] new_additional_parameters
+      #   The parameters.
+      def additional_parameters=(new_additional_parameters)
+        if new_additional_parameters.respond_to?(:to_hash)
+          @additional_parameters = new_additional_parameters.to_hash
+        else
+          raise TypeError,
+                "Expected Hash, got #{new_additional_parameters.class}."
+        end
+      end
+
       ##
       # Returns the refresh token associated with this client.
       #
@@ -745,8 +771,8 @@ module Signet
       def expired?
         return self.expires_at != nil && Time.now >= self.expires_at
       end
-      
-      
+
+
       ##
       # Removes all credentials from the client.
       def clear_credentials!
@@ -801,7 +827,7 @@ module Signet
       end
 
       def to_jwt(options={})
-        now = Time.new        
+        now = Time.new
         skew = options[:skew] || 60
         assertion = {
           "iss" => self.issuer,
@@ -811,9 +837,40 @@ module Signet
           "iat" => (now - skew).to_i
         }
         assertion['prn'] = self.person unless self.person.nil?
+        assertion['sub'] = self.sub unless self.sub.nil?
         JWT.encode(assertion, self.signing_key, self.signing_algorithm)
       end
-      
+
+      ##
+      # Serialize the client object to JSON.
+      #
+      # @note A serialized client contains sensitive information. Persist or transmit with care.
+      #
+      # @return [String] A serialized JSON representation of the client.
+      def to_json
+        return MultiJson.dump({
+          'authorization_uri' => self.authorization_uri,
+          'token_credential_uri' => self.token_credential_uri,
+          'client_id' => self.client_id,
+          'client_secret' => self.client_secret,
+          'scope' => self.scope,
+          'state' => self.state,
+          'code' => self.code,
+          'redirect_uri' => self.redirect_uri,
+          'username' => self.username,
+          'password' => self.password,
+          'issuer' => self.issuer,
+          'audience' => self.audience,
+          'person' => self.person,
+          'expiry' => self.expiry,
+          'signing_key' => self.signing_key,
+          'refresh_token' => self.refresh_token,
+          'access_token' => self.access_token,
+          'id_token' => self.id_token,
+          'extension_parameters' => self.extension_parameters
+        })
+      end
+
       ##
       # Generates a request for token credentials.
       #
@@ -856,6 +913,7 @@ module Signet
           ['Cache-Control', 'no-store'],
           ['Content-Type', 'application/x-www-form-urlencoded']
         ]
+        parameters.merge!(self.additional_parameters.merge(options[:additional_parameters] || {}))
         return options[:connection].build_request(
           method.to_s.downcase.to_sym
         ) do |req|
@@ -907,12 +965,12 @@ module Signet
         return token_hash
       end
 
-      ## 
+      ##
       # Refresh the access token, if possible
-      def refresh!
-        self.fetch_access_token!
+      def refresh!(options={})
+        self.fetch_access_token!(options)
       end
-      
+
       ##
       # Generates an authenticated request for protected resources.
       #
@@ -973,7 +1031,7 @@ module Signet
             req.body = body
           end
         end
-        
+
         request['Authorization'] = ::Signet::OAuth2.generate_bearer_authorization_header(
           self.access_token,
           options[:realm] ? [['realm', options[:realm]]] : nil
@@ -1042,16 +1100,23 @@ module Signet
           return response
         end
       end
-      
+
       private
-      
+
       ##
       # Check if URI is Google's postmessage flow (not a valid redirect_uri by spec, but allowed)
       # @private
       def uri_is_postmessage?(uri)
         return uri.to_s.casecmp('postmessage') == 0
       end
-      
+
+      ##
+      # Check if the URI is a out-of-band
+      # @private
+      def uri_is_oob?(uri)
+        return uri.to_s == 'urn:ietf:wg:oauth:2.0:oob' || uri.to_s == 'oob'
+      end
+
     end
   end
 end