Security patch
The 3.0.0-alpha.1 release included a new HTTP client that utilizes the reqwest crate. By default, reqwest follows HTTP redirects. This allows a malicious OAuth2 authorization server to redirect token endpoint requests to arbitrary URLs, including internal addresses reachable from the client. Such a redirect can be used to mount an SSRF attack.
Versions prior to 3.0.0-alpha.1 are not affected. Users of 3.0.0-alpha.1 are encouraged to upgrade to 3.0.0-alpha.2 or a newer release and are discouraged from using any alpha release in a production environment.
Thanks to @d0nutptr for helping to discover this issue!