Unstable release following major rewrite: this release includes breaking changes!
- Adds extensibility to support arbitrary OAuth 2.0 extensions in the
future without having to break backward compatibility again. This is
primarily accomplished through traits and generics (Resolves #27). - Improves adherence to the OAuth 2.0 spec (RFC 6749):
- Requires access token responses to be JSON-encoded, dropping support
for form-encoded responses. Also adds the HTTP request header
"Accept: application/json" to ensure that loosely compliant OAuth2
implementations such as GitHub's return a JSON response (Resolves #33). - Fixes the access token error response types enum to follow Section
5.2 of the spec instead of 4.2.2.1, which is for the Implicit Grant
flow only. The Implicit Grant errors are only seen by the browser,
and not by client applications that would be using this library. - Fixes parsing of the "scope" token response field, which is a
space-delimited string instead of a JSON array of strings. - Removes the "state" field from the token error response, which is not
defined in Section 5.2 of the spec. This field is only returned by
earlier steps in the OAuth2 flows. - Only parses the access token response as an error if the client
receives a non-200 HTTP response code. Section 5.2 of the spec defines
the expected response code as 400 Bad Request. - Uses HTTP Basic Auth for client authentication by default, rather
than including the client_id and client_secret in the request body.
This matches the recommendation in Section 2.3.1 of the spec.
- Requires access token responses to be JSON-encoded, dropping support
- Slightly improves the usability of the library
- Renames the main struct from Config to Client.
- Makes the "state" parameter mandatory unless the "insecure" module is
used (Fixes #28). This is critical to protect clients against CSRF. - Improves the documentation to more closely refer to the spec.
- Improves the examples to include CSRF protection.
- Adds stronger typing using the NewType pattern