Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 8baff19

Browse files
authored
Merge pull request #662 from ruby-oauth/oauth2.1
2 parents d1158a4 + 4274871 commit 8baff19

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

51 files changed

+472
-105
lines changed

‎.rubocop_gradual.lock

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
"lib/oauth2.rb:2435263975": [
77
[73, 11, 7, "ThreadSafety/ClassInstanceVariable: Avoid class instance variables.", 651502127]
88
],
9-
"lib/oauth2/access_token.rb:558937598": [
9+
"lib/oauth2/access_token.rb:1775225572": [
1010
[64, 13, 5, "Style/IdenticalConditionalBranches: Move `t_key` out of the conditional.", 183811513],
1111
[70, 13, 5, "Style/IdenticalConditionalBranches: Move `t_key` out of the conditional.", 183811513]
1212
],

‎CHANGELOG.md

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,19 @@
11
# Changelog
22
All notable changes to this project will be documented in this file.
33

4-
The format (since v2) is based on [Keep a Changelog v1](https://keepachangelog.com/en/1.0.0/),
5-
and this project adheres to [Semantic Versioning v2](https://semver.org/spec/v2.0.0.html).
4+
The format (since v2) is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
5+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
66

77
## [Unreleased]
88
### Added
99
- improved documentation by @pboling
10+
- documentation notes in code comments and README highlighting OAuth 2.1 differences, with references, such as:
11+
- PKCE required for auth code,
12+
- exact redirect URI match,
13+
- implicit/password grants omitted,
14+
- avoid bearer tokens in query,
15+
- refresh token guidance for public clients,
16+
- simplified client definitions)
1017
### Changed
1118
### Deprecated
1219
### Removed

‎README.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -692,6 +692,22 @@ Response instance will contain the `OAuth2::Error` instance.
692692

693693
### Authorization Grants
694694

695+
Note on OAuth 2.1 (draft):
696+
- PKCE is required for all OAuth clients using the authorization code flow (especially public clients). Implement PKCE in your app when required by your provider. See RFC 7636 and RFC 8252.
697+
- Redirect URIs must be compared using exact string matching by the Authorization Server.
698+
- The Implicit grant (response_type=token) and the Resource Owner Password Credentials grant are omitted from OAuth 2.1; they remain here for OAuth 2.0 compatibility but should be avoided for new apps.
699+
- Bearer tokens in the query string are omitted due to security risks; prefer Authorization header usage.
700+
- Refresh tokens for public clients must either be sender-constrained (e.g., DPoP/MTLS) or one-time use.
701+
- The definitions of public and confidential clients are simplified to refer only to whether the client has credentials.
702+
703+
References:
704+
- OAuth 2.1 draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13
705+
- Aaron Parecki: https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
706+
- FusionAuth: https://fusionauth.io/blog/2020/04/15/whats-new-in-oauth-2-1
707+
- Okta: https://developer.okta.com/blog/2019/12/13/oauth-2-1-how-many-rfcs
708+
- Video: https://www.youtube.com/watch?v=g_aVPdwBTfw
709+
- Differences overview: https://fusionauth.io/learn/expert-advice/oauth/differences-between-oauth-2-oauth-2-1/
710+
695711
Currently, the Authorization Code, Implicit, Resource Owner Password Credentials, Client Credentials, and Assertion
696712
authentication grant types have helper strategy classes that simplify client
697713
use. They are available via the [`#auth_code`](https://gitlab.com/ruby-oauth/oauth2/-/blob/main/lib/oauth2/strategy/auth_code.rb),

‎docs/OAuth2.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -415,7 +415,7 @@ <h3 class="signature first" id="configure-class_method">
415415
</div>
416416

417417
<div id="footer">
418-
Generated on Sat Aug 30 20:09:59 2025 by
418+
Generated on Sun Aug 31 03:36:08 2025 by
419419
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
420420
0.9.37 (ruby-3.4.5).
421421
</div>

‎docs/OAuth2/AccessToken.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3069,7 +3069,7 @@ <h3 class="signature " id="to_hash-instance_method">
30693069
</div>
30703070

30713071
<div id="footer">
3072-
Generated on Sat Aug 30 20:09:59 2025 by
3072+
Generated on Sun Aug 31 03:36:08 2025 by
30733073
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
30743074
0.9.37 (ruby-3.4.5).
30753075
</div>

‎docs/OAuth2/Authenticator.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -883,7 +883,7 @@ <h3 class="signature first" id="apply-instance_method">
883883
</div>
884884

885885
<div id="footer">
886-
Generated on Sat Aug 30 20:09:59 2025 by
886+
Generated on Sun Aug 31 03:36:08 2025 by
887887
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
888888
0.9.37 (ruby-3.4.5).
889889
</div>

‎docs/OAuth2/Client.html

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1843,6 +1843,9 @@ <h3 class="signature " id="redirection_params-instance_method">
18431843
requesting authorization. If it is provided at authorization time it MUST<br />
18441844
also be provided with the token exchange request.</p>
18451845

1846+
<p>OAuth 2.1 note: Authorization Servers must compare redirect URIs using exact string matching.<br />
1847+
This client simply forwards the configured redirect_uri; the exact-match validation happens server-side.</p>
1848+
18461849
<p>Providing :redirect_uri to the OAuth2::Client instantiation will take<br />
18471850
care of managing this.</p>
18481851

@@ -1880,6 +1883,8 @@ <h3 class="signature " id="redirection_params-instance_method">
18801883

18811884
<li><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-10.6" target="_parent" title="https://datatracker.ietf.org/doc/html/rfc6749#section-10.6">https://datatracker.ietf.org/doc/html/rfc6749#section-10.6</a></li>
18821885

1886+
<li><a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13" target="_parent" title="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13</a></li>
1887+
18831888
</ul>
18841889

18851890
</div><table class="source_code">
@@ -1888,16 +1893,16 @@ <h3 class="signature " id="redirection_params-instance_method">
18881893
<pre class="lines">
18891894

18901895

1891-
335
1892-
336
1893-
337
1894-
338
18951896
339
18961897
340
1897-
341</pre>
1898+
341
1899+
342
1900+
343
1901+
344
1902+
345</pre>
18981903
</td>
18991904
<td>
1900-
<pre class="code"><span class="info file"># File 'lib/oauth2/client.rb', line 335</span>
1905+
<pre class="code"><span class="info file"># File 'lib/oauth2/client.rb', line 339</span>
19011906

19021907
<span class='kw'>def</span> <span class='id identifier rubyid_redirection_params'>redirection_params</span>
19031908
<span class='kw'>if</span> <span class='id identifier rubyid_options'>options</span><span class='lbracket'>[</span><span class='symbol'>:redirect_uri</span><span class='rbracket'>]</span>
@@ -2651,7 +2656,7 @@ <h3 class="signature " id="token_url-instance_method">
26512656
</div>
26522657

26532658
<div id="footer">
2654-
Generated on Sat Aug 30 20:09:59 2025 by
2659+
Generated on Sun Aug 31 03:36:08 2025 by
26552660
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
26562661
0.9.37 (ruby-3.4.5).
26572662
</div>

‎docs/OAuth2/Error.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -772,7 +772,7 @@ <h3 class="signature " id="response-instance_method">
772772
</div>
773773

774774
<div id="footer">
775-
Generated on Sat Aug 30 20:09:59 2025 by
775+
Generated on Sun Aug 31 03:36:08 2025 by
776776
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
777777
0.9.37 (ruby-3.4.5).
778778
</div>

‎docs/OAuth2/FilteredAttributes.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -335,7 +335,7 @@ <h3 class="signature first" id="inspect-instance_method">
335335
</div>
336336

337337
<div id="footer">
338-
Generated on Sat Aug 30 20:09:59 2025 by
338+
Generated on Sun Aug 31 03:36:08 2025 by
339339
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
340340
0.9.37 (ruby-3.4.5).
341341
</div>

‎docs/OAuth2/FilteredAttributes/ClassMethods.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -280,7 +280,7 @@ <h3 class="signature " id="filtered_attributes-instance_method">
280280
</div>
281281

282282
<div id="footer">
283-
Generated on Sat Aug 30 20:09:59 2025 by
283+
Generated on Sun Aug 31 03:36:08 2025 by
284284
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
285285
0.9.37 (ruby-3.4.5).
286286
</div>

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /