https://github.com/ruby-oauth/oauth2 - v2.0.22

2.0.22 - 2026-06-07

• TAG: v2.0.22
• COVERAGE: 100.00% -- 542/542 lines in 15 files
• BRANCH COVERAGE: 100.00% -- 180/180 branches in 15 files
• 88.35% documented

Changed

• Raised generated development tooling floors to kettle-dev >= 2.1.1 and
  version_gem >= 1.1.11.
• Raised the runtime dependency floor for snaky_hash to >= 2.0.5.

Security

• [GHSA-pp92-crg2-gfv9] Prevent protocol-relative redirect Location values from changing request authority, and strip Authorization headers from cross-origin redirects.

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

- Ruby
Published by pboling 9 days ago

https://github.com/ruby-oauth/oauth2 - v2.0.21

2.0.21 - 2026-06-06

• TAG: v2.0.21
• COVERAGE: 100.00% -- 525/525 lines in 15 files
• BRANCH COVERAGE: 100.00% -- 174/174 branches in 15 files
• 88.35% documented

Added

• gh!730 - Alternatives section to README by @jonathangrinstead
• Updates to alternatives section - by @pboling

• Added conditional appraisal2-rubocop Appraisal root loading on modern Ruby
  so generated Appraisal gemfiles are normalized during generation - by @pboling

Changed

• Raised generated version_gem dependency floor to version_gem >= 1.1.10 - by @pboling
• Raised the runtime dependency floor for auth-sanitizer to >= 0.2.1 - by @pboling
• Refreshed generated package metadata, support documentation, CI workflows,
  and development dependency floors from the current kettle-jem template - by @pboling
• Documented the current per-version Ruby, JRuby, and TruffleRuby CI matrix in
  generated README badges and compatibility tables - by @pboling
• Removed the post-install message from the gemspec to keep installs quieter - by @pboling
• Refreshed generated README support badges so Ruby 2.3 is listed as
  supported but untested - by @pboling
• Refreshed generated project metadata from the current kettle-jem template - by @pboling
• Raised development tooling floors to kettle-dev >= 2.1.0 and
  appraisal2 >= 3.1.1 for Appraisal2's split generate/install/update
  command semantics.
• Refreshed generated Appraisal and CI templates to appraisal2-rubocop 0.2.0 - by @pboling

Removed

• Dropped the obsolete Ruby 2.3 Caboose workflow and its Hashie appraisal
  gemfiles; development tooling now requires Ruby 2.4 or newer, and Ruby 2.4
  coverage is already handled by the standard Ruby 2.4 workflow - by @pboling

Fixed

• Updated CI workflow maintenance: QLTY uploads now use OIDC and harden-runner
  is pinned to v2.19.4 - by @pboling
• Replaced stale platform CI rake magic commands with portable spec commands - by @pboling
• Pinned multi_xml below 0.9 for TruffleRuby compatibility - by @pboling
• Marked EOL TruffleRuby 22.3, 23.0, and 23.1 CI as experimental because they can crash inside the interpreter during Bundler setup - by @pboling
• Improved gemspec version loading for older Rubies and isolated load-path
  contexts - by @pboling
• Constrained json in TruffleRuby and Ruby 3.2 appraisal bundles so generated
  CI dependency resolution remains compatible with those Ruby targets - by @pboling
• Pinned generated GitHub Actions actions/checkout steps to the peeled
  v6.0.3 commit SHA so OSSF Scorecard workflow verification accepts them - by @pboling
• Marked generated EOL TruffleRuby 22.3, 23.0, and 23.1 matrix entries
  experimental so native extension build failures do not fail the whole
  workflow - by @pboling
• Pinned json only for EOL TruffleRuby appraisal bundles, matching the
  default json gem shipped with each TruffleRuby release instead of
  constraining MRI Ruby appraisal bundles - by @pboling

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

- Ruby
Published by pboling 9 days ago

https://github.com/ruby-oauth/oauth2 - v2.0.20

2.0.20 - 2026-05-20

• TAG: v2.0.20
• COVERAGE: 99.62% -- 525/527 lines in 15 files
• BRANCH COVERAGE: 98.88% -- 176/178 branches in 15 files
• 88.35% documented

Added

• OAuth2::VERSION (Traditional Constant Location)

Changed

• auth-sanitizer v0.1.3

Fixed

• gh!721 Load auth-sanitizer through an internal isolated loader so requiring oauth2 does not add top-level Auth or AuthSanitizer constants that may collide with downstream applications by @pboling

Security

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

- Ruby
Published by pboling 26 days ago

https://github.com/ruby-oauth/oauth2 - v2.0.19

2.0.19 - 2026-05-15

• TAG: v2.0.19
• COVERAGE: 100.00% -- 515/515 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 174/174 branches in 14 files
• 89.11% documented

Added

• gh!707 Add OAuth2.config[:filtered_label] to configure the placeholder used for filtered sensitive values in inspected objects and debug logging output by @pboling
• gh!707 Add OAuth2.config[:filtered_debug_keys] to configure which key names have their values redacted from debug logging output by @pboling

Changed

• gh!707 Make inspect-time and debug-log filters snapshot their configuration at initialization time rather than tracking later config changes by @pboling
• gh!714Refactor sensitive-value filtering to use auth-sanitizer while preserving OAuth2::FilteredAttributes as a permanent API alias by @pboling

Removed

• Remove the internal OAuth2::ThingFilter and OAuth2::SanitizedLogger implementations now provided by auth-sanitizer by @pboling

Security

• gh!707 Redact sensitive values from debug logging output, including Authorization headers and common token/secret fields in headers, query strings, form bodies, and JSON payloads by @pboling
  • NOTE: debug logging has always been, and remains, opt-in. It is turned off by default.

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

- Ruby
Published by pboling about 1 month ago

https://github.com/ruby-oauth/oauth2 - v2.0.18

2.0.18 - 2025-11-08

• TAG: v2.0.18
• COVERAGE: 100.00% -- 526/526 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 178/178 branches in 14 files
• 90.48% documented

Added

• gh!683, gh!684 - Improve documentation by @pboling
• gh!686- Add Incident Response Plan by @pboling
• gh!687- Add Threat Model by @pboling

Changed

• gh!685 - upgrade kettle-dev v1.1.24 by @pboling
• upgrade kettle-dev v1.1.52 by @pboling
  • Add open collective donors to README

Fixed

• gh!690, gh!691, gh!692 - Add yard-fence
  • handle braces within code fences in markdown properly by @pboling

Security

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

- Ruby
Published by pboling 7 months ago

https://github.com/ruby-oauth/oauth2 - v2.0.17

2.0.17 - 2025-09-15

• TAG: v2.0.17
• COVERAGE: 100.00% -- 526/526 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 178/178 branches in 14 files
• 90.48% documented

Added

• [gh!682][gh!682] - AccessToken: support Hash-based verb-dependent token transmission mode (e.g., {get: :query, post: :header})

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

- Ruby
Published by pboling 9 months ago

https://github.com/ruby-oauth/oauth2 - v2.0.16

2.0.16 - 2025-09-14

• TAG: v2.0.16
• COVERAGE: 100.00% -- 520/520 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 176/176 branches in 14 files
• 90.48% documented

Added

• gh!680—E2E example using mock test server added in v2.0.11 by @pboling
  • mock-oauth2-server upgraded to v2.3.0
    • https://github.com/navikt/mock-oauth2-server
  • docker compose -f docker-compose-ssl.yml up -d --wait
  • ruby examples/e2e.rb
  • docker compose -f docker-compose-ssl.yml down
  • mock server readiness wait is 90s
  • override via E2E_WAIT_TIMEOUT
• gh!676, gh!679 - Apache SkyWalking Eyes dependency license check by @pboling

Changed

• gh!678 - Many improvements to make CI more resilient (past/future proof) by @pboling
• gh!681 - Upgrade to kettle-dev v1.1.19

Security

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

- Ruby
Published by pboling 9 months ago

https://github.com/ruby-oauth/oauth2 - v2.0.15

2.0.15 - 2025-09-08

• TAG: v2.0.15
• COVERAGE: 100.00% -- 519/519 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 174/174 branches in 14 files
• 90.48% documented

Added

• gh!671 - Complete documentation example for Instagram by @pboling
• .env.local.example for contributor happiness
• note lack of builds for JRuby 9.2, 9.3 & Truffleruby 22.3, 23.0
  • actions/runner - issues/2347
  • community/discussions/15452
• gh!670 - AccessToken: verb-dependent token transmission mode by @mrj
  • e.g., Instagram GET=:query, POST/DELETE=:header

Changed

• gh!669 - Upgrade to kettle-dev v1.1.9 by @pboling

Fixed

• Remove accidentally duplicated lines, and fix typos in CHANGELOG.md
• point badge to the correct workflow for Ruby 2.3 (caboose.yml)

Security

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

- Ruby
Published by pboling 9 months ago

https://github.com/ruby-oauth/oauth2 - v2.0.14

What's Changed

• 📝 Added OAuth 2.1 draft specification by @pboling in https://github.com/ruby-oauth/oauth2/pull/662
• 📝 Added OIDC documentation, example, and spec references in OIDC.md by @pboling in https://github.com/ruby-oauth/oauth2/pull/663
• 📝 Add Example for JHipster UAA Server Integration by @pboling in https://github.com/ruby-oauth/oauth2/pull/664
• 📝 Document Mutual TLS (mTLS) usage with example in README by @pboling in https://github.com/ruby-oauth/oauth2/pull/665
• ✅ Documentation with Example for Flat Params Usage, with specs by @pboling in https://github.com/ruby-oauth/oauth2/pull/666
• ⬆️ kettle-dev v1.0.24 by @pboling in https://github.com/ruby-oauth/oauth2/pull/667

Full Changelog: https://github.com/ruby-oauth/oauth2/compare/v2.0.13...v2.0.14

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

- Ruby
Published by pboling 10 months ago

https://github.com/ruby-oauth/oauth2 - v2.0.13

2.0.13 - 2025-08-30

• TAG: v2.0.13
• COVERAGE: 100.00% -- 519/519 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 174/174 branches in 14 files
• 90.48% documented

Added

• gh656 - Support revocation with URL-encoded parameters
• gh660 - Inline yard documentation by @pboling
• gh660 - Complete RBS types documentation by @pboling
• gh660- (more) Comprehensive documentation / examples by @pboling
• gh657 - Updated documentation for org-rename by @pboling
• More funding links by @Aboling0

Changed

• Upgrade Code of Conduct to Contributor Covenant 2.1 by @pboling
• gh660 - Shrink post-install message by 4 lines by @pboling

Fixed

• gh660 - Links in README (including link to HEAD documentation) by @pboling

Security

Auto-generated notes

What's Changed

• 📝 Update README by @Aboling0 in https://github.com/ruby-oauth/oauth2/pull/653
• 🎨 Use 'console' instead of 'bash' for code block highlighting by @Aboling0 in https://github.com/ruby-oauth/oauth2/pull/654
• Support revocation with URL-encoded parameters by @srook in https://github.com/ruby-oauth/oauth2/pull/656
• 🚚 Update for org rename by @pboling in https://github.com/ruby-oauth/oauth2/pull/657
• Bump qltysh/qlty-action from 1 to 2 by @dependabot[bot] in https://github.com/ruby-oauth/oauth2/pull/658
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in https://github.com/ruby-oauth/oauth2/pull/659
• Release v2.0.13 by @pboling in https://github.com/ruby-oauth/oauth2/pull/660

New Contributors

• @srook made their first contribution in https://github.com/ruby-oauth/oauth2/pull/656

Full Changelog: https://github.com/ruby-oauth/oauth2/compare/v2.0.12...v2.0.13

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

- Ruby
Published by pboling 10 months ago

https://github.com/ruby-oauth/oauth2 - v2.0.12

What's Changed

• feat: Add Key ID (kid) support to JWT assertions by @mridang in https://github.com/oauth-xx/oauth2/pull/652
• More Documentation by @pboling
  • Documented Serialization Extensions
  • Added Gatzo.com FLOSS logo by @Aboling0, CC BY-SA 4.0
  • Documentation site @ https://oauth2.galtzo.com now complete

New Contributors

• @mridang made their first contribution in https://github.com/oauth-xx/oauth2/pull/652

Full Changelog: https://github.com/oauth-xx/oauth2/compare/v2.0.11...v2.0.12

- Ruby
Published by pboling about 1 year ago

https://github.com/ruby-oauth/oauth2 - v2.0.11

2.0.11 - 2025-05-23

• TAG: v2.0.11
• COVERAGE: 100.00% -- 518/518 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 172/172 branches in 14 files
• 80.00% documented

Added

• gh651 - :snaky_hash_klass option (@pboling)
• More documentation
• Codeberg as ethical mirror (@pboling)
  • https://codeberg.org/oauth-xx/oauth2
• Don't check for cert if SKIP_GEM_SIGNING is set (@pboling)
• All runtime deps, including oauth-xx sibling gems, are now tested against HEAD (@pboling)
• YARD config, GFM compatible with relative file links (@pboling)
• Documentation site on GitHub Pages (@pboling)
  • oauth2.galtzo.com
• !649 - Test compatibility with all key minor versions of Hashie v0, v1, v2, v3, v4, v5, HEAD (@pboling)
• gh651 - Mock OAuth2 server for testing (@pboling)
  • https://github.com/navikt/mock-oauth2-server

Changed

• gh651 - Upgraded to snaky_hash v2.0.3 (@pboling)
  • Provides solution for serialization issues
• Updated spec.homepage_uri in gemspec to GitHub Pages YARD documentation site (@pboling)

Fixed

• gh650 - Regression in return type of OAuth2::Response#parsed (@pboling)
• Incorrect documentation related to silencing warnings (@pboling)

What's Changed

• 👷 Ensure compatibility with all versions of Hashie by @pboling in https://github.com/oauth-xx/oauth2/pull/649
• Bug/parsed return type by @pboling in https://github.com/oauth-xx/oauth2/pull/650
• Release/v2.0.11 by @pboling in https://github.com/oauth-xx/oauth2/pull/651

Full Changelog: https://github.com/oauth-xx/oauth2/compare/v2.0.10...v2.0.11

- Ruby
Published by pboling about 1 year ago

https://github.com/ruby-oauth/oauth2 - v2.0.10

2.0.10 - 2025-05-16

• TAG: v2.0.10
• COVERAGE: 100.00% -- 518/518 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 170/170 branches in 14 files
• 79.05% documented

Added

• gh!632 - Added funding.yml (@Aboling0)
• !635 - Added .gitlab-ci.yml (@jessieay)
• #638 - Documentation of support for ILO Fundamental Principles of Rights at Work (@pboling)
• !642 - 20-year certificate for signing gem releases, expires 2045-04-29 (@pboling)
  • Gemspec metadata
    • funding_uri
    • news_uri
    • mailing_list_uri
  • SHA256 and SHA512 Checksums for release
• !643 - Add token_name option (@pboling)
  • Specify the parameter name that identifies the access token
• !645 - Add OAuth2::OAUTH_DEBUG constant, based on `ENV["OAUTH_DEBUG"] (@pboling)
• !646 - Add OAuth2.config.silence_extra_tokens_warning, default: false (@pboling)
• !647 - Add IETF RFC 7009 Token Revocation compliant (@pboling)
  • OAuth2::Client#revoke_token
  • OAuth2::AccessToken#revoke
  • See: https://datatracker.ietf.org/doc/html/rfc7009
• gh!644, gh!645 - Added CITATION.cff (@Aboling0)
• !648 - Improved documentation (@pboling)

Changed

• Default value of OAuth2.config.silence_extra_tokens_warning was false, now true (@pboling)
• Gem releases are now cryptographically signed, with a 20-year cert (@pboling)
  • Allow linux distros to build release without signing, as their package managers sign independently
• !647 - OAuth2::AccessToken#refresh now supports block param pass through (@pboling)
• !647 - OAuth2.config is no longer writable (@pboling)
• !647 - Errors raised by OAuth2::AccessToken are now always OAuth2::Error and have better metadata (@pboling)

Fixed

• #95 - restoring an access token via AccessToken#from_hash (@pboling)
  • This was a 13 year old bug report. 😘
• #619 - Internal options (like snaky, raise_errors, and parse) are no longer included in request (@pboling)
• !633 - Spaces will now be encoded as %20 instead of + (@nov.matake)
• !634 - CHANGELOG.md documentation fix (@skuwa229)
• !638 - fix expired? when expires_in is 0 (@disep)
• !639 - Only instantiate OAuth2::Error if raise_errors option is true (@glytch2)
• #639 - AccessToken#to_hash is now serializable, just a regular Hash (@pboling)
• !640 - README.md documentation fix (@martinezcoder)
• !641 - Do not include sensitive information in the inspect (@manuelvanrijn)
• #641 - Made default JSON response parser more resilient (@pboling)
• #645 - Response no longer becomes a snaky hash (@pboling)
• gh!646 - Change require to require_relative (improve performance) (@Aboling0)

Autogen notes...

• 💸 Update funding by @Aboling0 in https://github.com/oauth-xx/oauth2/pull/632
• Feat/20 year cert by @pboling in https://github.com/oauth-xx/oauth2/pull/633
• Feat/token name by @pboling in https://github.com/oauth-xx/oauth2/pull/639
• Feat/docs 640 by @pboling in https://github.com/oauth-xx/oauth2/pull/640
• Feat/oauth debug by @pboling in https://github.com/oauth-xx/oauth2/pull/641
• ✨ silence_no_tokens_warning by @pboling in https://github.com/oauth-xx/oauth2/pull/642
• Add IETF RFC 7009 Token Revocation by @pboling in https://github.com/oauth-xx/oauth2/pull/643
• Bump MeilCli/danger-action from 5 to 6 by @dependabot in https://github.com/oauth-xx/oauth2/pull/634
• Bump github/codeql-action from 1 to 3 by @dependabot in https://github.com/oauth-xx/oauth2/pull/638
• 📝 Made CITATION.cff by @Aboling0 in https://github.com/oauth-xx/oauth2/pull/644
• 🚚 Moved CITATION.cff by @Aboling0 in https://github.com/oauth-xx/oauth2/pull/645
• ⚡️ Change require to require_relative by @Aboling0 in https://github.com/oauth-xx/oauth2/pull/646
• Release/v2.0.10 by @pboling in https://github.com/oauth-xx/oauth2/pull/647

New Contributors

• @Aboling0 made their first contribution in https://github.com/oauth-xx/oauth2/pull/632
• @dependabot made their first contribution in https://github.com/oauth-xx/oauth2/pull/634

Full Changelog: https://github.com/oauth-xx/oauth2/compare/v2.0.9...v2.0.10

- Ruby
Published by pboling about 1 year ago