v2.0.23

2.0.23 - 2026-06-13

• TAG: v2.0.23
• COVERAGE: 100.00% -- 562/562 lines in 15 files
• BRANCH COVERAGE: 97.89% -- 186/190 branches in 15 files
• 88.35% documented

Changed

• Upgraded to snaky_hash v2.0.6 by @pboling
• Refreshed generated GHA workflow action SHA pins by @pboling

Fixed

• Addressed Reek code-quality checks with targeted cleanup and documented compatibility exclusions by @pboling
• Fixed deprecation warning from MultiXML by @robzolkos

• Fixed head appraisal dependency conflicts and Ruby 2.4 protocol-relative redirect handling by @pboling

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

v2.0.22

2.0.22 - 2026-06-07

• TAG: v2.0.22
• COVERAGE: 100.00% -- 542/542 lines in 15 files
• BRANCH COVERAGE: 100.00% -- 180/180 branches in 15 files
• 88.35% documented

Changed

• Raised generated development tooling floors to kettle-dev >= 2.1.1 and
  version_gem >= 1.1.11.
• Raised the runtime dependency floor for snaky_hash to >= 2.0.5.

Security

• [GHSA-pp92-crg2-gfv9] Prevent protocol-relative redirect Location values from changing request authority, and strip Authorization headers from cross-origin redirects.

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

v2.0.21

2.0.21 - 2026-06-06

• TAG: v2.0.21
• COVERAGE: 100.00% -- 525/525 lines in 15 files
• BRANCH COVERAGE: 100.00% -- 174/174 branches in 15 files
• 88.35% documented

Added

• gh!730 - Alternatives section to README by @jonathangrinstead
• Updates to alternatives section - by @pboling

• Added conditional appraisal2-rubocop Appraisal root loading on modern Ruby
  so generated Appraisal gemfiles are normalized during generation - by @pboling

Changed

• Raised generated version_gem dependency floor to version_gem >= 1.1.10 - by @pboling
• Raised the runtime dependency floor for auth-sanitizer to >= 0.2.1 - by @pboling
• Refreshed generated package metadata, support documentation, CI workflows,
  and development dependency floors from the current kettle-jem template - by @pboling
• Documented the current per-version Ruby, JRuby, and TruffleRuby CI matrix in
  generated README badges and compatibility tables - by @pboling
• Removed the post-install message from the gemspec to keep installs quieter - by @pboling
• Refreshed generated README support badges so Ruby 2.3 is listed as
  supported but untested - by @pboling
• Refreshed generated project metadata from the current kettle-jem template - by @pboling
• Raised development tooling floors to kettle-dev >= 2.1.0 and
  appraisal2 >= 3.1.1 for Appraisal2's split generate/install/update
  command semantics.
• Refreshed generated Appraisal and CI templates to appraisal2-rubocop 0.2.0 - by @pboling

Removed

• Dropped the obsolete Ruby 2.3 Caboose workflow and its Hashie appraisal
  gemfiles; development tooling now requires Ruby 2.4 or newer, and Ruby 2.4
  coverage is already handled by the standard Ruby 2.4 workflow - by @pboling

Fixed

• Updated CI workflow maintenance: QLTY uploads now use OIDC and harden-runner
  is pinned to v2.19.4 - by @pboling
• Replaced stale platform CI rake magic commands with portable spec commands - by @pboling
• Pinned multi_xml below 0.9 for TruffleRuby compatibility - by @pboling
• Marked EOL TruffleRuby 22.3, 23.0, and 23.1 CI as experimental because they can crash inside the interpreter during Bundler setup - by @pboling
• Improved gemspec version loading for older Rubies and isolated load-path
  contexts - by @pboling
• Constrained json in TruffleRuby and Ruby 3.2 appraisal bundles so generated
  CI dependency resolution remains compatible with those Ruby targets - by @pboling
• Pinned generated GitHub Actions actions/checkout steps to the peeled
  v6.0.3 commit SHA so OSSF Scorecard workflow verification accepts them - by @pboling
• Marked generated EOL TruffleRuby 22.3, 23.0, and 23.1 matrix entries
  experimental so native extension build failures do not fail the whole
  workflow - by @pboling
• Pinned json only for EOL TruffleRuby appraisal bundles, matching the
  default json gem shipped with each TruffleRuby release instead of
  constraining MRI Ruby appraisal bundles - by @pboling

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

v2.0.20

2.0.20 - 2026-05-20

• TAG: v2.0.20
• COVERAGE: 99.62% -- 525/527 lines in 15 files
• BRANCH COVERAGE: 98.88% -- 176/178 branches in 15 files
• 88.35% documented

Added

• OAuth2::VERSION (Traditional Constant Location)

Changed

• auth-sanitizer v0.1.3

Fixed

• gh!721 Load auth-sanitizer through an internal isolated loader so requiring oauth2 does not add top-level Auth or AuthSanitizer constants that may collide with downstream applications by @pboling

Security

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

v2.0.19

2.0.19 - 2026-05-15

• TAG: v2.0.19
• COVERAGE: 100.00% -- 515/515 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 174/174 branches in 14 files
• 89.11% documented

Added

• gh!707 Add OAuth2.config[:filtered_label] to configure the placeholder used for filtered sensitive values in inspected objects and debug logging output by @pboling
• gh!707 Add OAuth2.config[:filtered_debug_keys] to configure which key names have their values redacted from debug logging output by @pboling

Changed

• gh!707 Make inspect-time and debug-log filters snapshot their configuration at initialization time rather than tracking later config changes by @pboling
• gh!714Refactor sensitive-value filtering to use auth-sanitizer while preserving OAuth2::FilteredAttributes as a permanent API alias by @pboling

Removed

• Remove the internal OAuth2::ThingFilter and OAuth2::SanitizedLogger implementations now provided by auth-sanitizer by @pboling

Security

• gh!707 Redact sensitive values from debug logging output, including Authorization headers and common token/secret fields in headers, query strings, form bodies, and JSON payloads by @pboling
  • NOTE: debug logging has always been, and remains, opt-in. It is turned off by default.

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

v2.0.18

2.0.18 - 2025-11-08

• TAG: v2.0.18
• COVERAGE: 100.00% -- 526/526 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 178/178 branches in 14 files
• 90.48% documented

Added

• gh!683, gh!684 - Improve documentation by @pboling
• gh!686- Add Incident Response Plan by @pboling
• gh!687- Add Threat Model by @pboling

Changed

• gh!685 - upgrade kettle-dev v1.1.24 by @pboling
• upgrade kettle-dev v1.1.52 by @pboling
  • Add open collective donors to README

Fixed

• gh!690, gh!691, gh!692 - Add yard-fence
  • handle braces within code fences in markdown properly by @pboling

Security

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

v2.0.17

2.0.17 - 2025-09-15

• TAG: v2.0.17
• COVERAGE: 100.00% -- 526/526 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 178/178 branches in 14 files
• 90.48% documented

Added

• gh!682 - AccessToken: support Hash-based verb-dependent token transmission mode (e.g., {get: :query, post: :header})

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

v2.0.16

2.0.16 - 2025-09-14

• TAG: v2.0.16
• COVERAGE: 100.00% -- 520/520 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 176/176 branches in 14 files
• 90.48% documented

Added

• gh!680—E2E example using mock test server added in v2.0.11 by @pboling
  • mock-oauth2-server upgraded to v2.3.0
    • https://github.com/navikt/mock-oauth2-server
  • docker compose -f docker-compose-ssl.yml up -d --wait
  • ruby examples/e2e.rb
  • docker compose -f docker-compose-ssl.yml down
  • mock server readiness wait is 90s
  • override via E2E_WAIT_TIMEOUT
• gh!676, gh!679 - Apache SkyWalking Eyes dependency license check by @pboling

Changed

• gh!678 - Many improvements to make CI more resilient (past/future proof) by @pboling
• gh!681 - Upgrade to kettle-dev v1.1.19

Security

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

v2.0.15

2.0.15 - 2025-09-08

• TAG: v2.0.15
• COVERAGE: 100.00% -- 519/519 lines in 14 files
• BRANCH COVERAGE: 100.00% -- 174/174 branches in 14 files
• 90.48% documented

Added

• gh!671 - Complete documentation example for Instagram by @pboling
• .env.local.example for contributor happiness
• note lack of builds for JRuby 9.2, 9.3 & Truffleruby 22.3, 23.0
  • actions/runner - issues/2347
  • community/discussions/15452
• gh!670 - AccessToken: verb-dependent token transmission mode by @mrj
  • e.g., Instagram GET=:query, POST/DELETE=:header

Changed

• gh!669 - Upgrade to kettle-dev v1.1.9 by @pboling

Fixed

• Remove accidentally duplicated lines, and fix typos in CHANGELOG.md
• point badge to the correct workflow for Ruby 2.3 (caboose.yml)

Security

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?

v2.0.14

What's Changed

• 📝 Added OAuth 2.1 draft specification by @pboling in #662
• 📝 Added OIDC documentation, example, and spec references in OIDC.md by @pboling in #663
• 📝 Add Example for JHipster UAA Server Integration by @pboling in #664
• 📝 Document Mutual TLS (mTLS) usage with example in README by @pboling in #665
• ✅ Documentation with Example for Flat Params Usage, with specs by @pboling in #666
• ⬆️ kettle-dev v1.0.24 by @pboling in #667

Full Changelog: v2.0.13...v2.0.14

Official Discord 👉️

Many paths lead to being a sponsor or a backer of this project. Are you on such a path?