New features

• Add add_scopes convenience methods to request objects (https://github.com/ramosbugs/oauth2-rs/pull/138)
• Add set_redirect_uri method to CodeTokenRequest (https://github.com/ramosbugs/oauth2-rs/pull/144)

Bug fixes

• Fix Client::disable_openid_scope method (#45)

Other changes

• Add Gitlab example (#44)

Bug Fixes

• Fix panic in AuthorizationRequest::url when using the implicit or hybrid flows

Minor doc fixes

Changes since 2.0.0-beta.1

• Upgrade oauth2 dependency to stable 4.0 release.

Summary of changes since 1.0.0

Breaking changes

• Raise minimum supported Rust version (MSRV) to 1.45.
• Upgrade reqwest to 0.11 and rename feature flag to reqwest. This upgrades tokio to 1.0 and removes support for both the reqwest-010 and reqwest-09 feature flags.
• Drop support for futures 0.1 and remove the futures-01 and futures-03 feature flags; only async/await and futures 0.3 are now supported (without requiring any feature flags).
• Eliminate Async* traits and move the request_async methods to the underlying *Request structs
• Rename set_redirect_url to set_redirect_uri (see #39 for context).
• Migrate public API from http 0.1 to 0.2.
• Return error types that implement std::error::Error instead of failure::Fail.
• Expose serde_path_to_error::Error<serde_json::Error>> in several error types to make JSON deserialization errors easier to diagnose.
• Add #[non_exhaustive] attribute to AuthType to support non-breaking additions in the future.
• Have Client::user_info fail fast with a new ConfigurationError enum when the relevant OAuth2 endpoint hasn't been configured from the OpenID Connect Discovery metadata. Previously, an error would not be returned until a call to request/request_async.

New features

• Add support for OAuth 2.0 Token Revocation (RFC 7009).
• Add support for OAuth 2.0 Token Introspection (RFC 7662).
• Add support for the OAuth2 Client Credentials Grant.
• Add support for ES256/ES384 JWT signatures.

Other changes

• Have reqwest client use rustls-tls by default instead of native TLS. This behavior can be overridden using the native-tls feature flag.
• Disable deprecated OpenID Connect conformance tests.

Breaking Changes

• Add rustls-tls (default) and native-tls feature flags for use with reqwest. Previously, enabling the reqwest feature flag would always use rustls. The default behavior is unchanged, but users that disable the default features and wish to continue using rustls may wish to add the rustls-tls feature flag to their Cargo.toml.
• Expose serde_path_to_error::Error<serde_json::Error>> instead of a serde_json::Error to improve the diagnosability of JSON deserialization errors in the following enum variants:
  • DiscoveryError::Parse
  • RequestTokenError::Parse
  • UserInfoError::Parse
  • registration::ClientRegistrationError::Parse

Breaking Changes

• Raise minimum supported Rust version (MSRV) to 1.45
• Rename set_redirect_url to set_redirect_uri (see #39 for context).
• Upgrade reqwest to 0.11 and rename feature flag from reqwest-010 to reqwest. This upgrades tokio to 1.0.
• Add #[non_exhaustive] attribute to AuthType to support non-breaking additions in the future
• Have Client::user_info fail fast with a new ConfigurationError enum when the relevant OAuth2 endpoint hasn't been configured from the OpenID Connect Discovery metadata. Previously, an error would not be returned until a call to request/request_async.

New Features

• Add support for OAuth 2.0 Token Revocation (RFC 7009).

  Special thanks to @ximon18 for contributing this feature.

• Add support for OAuth 2.0 Token Introspection (RFC 7662).

  Special thanks to @jeroenvervaeke for contributing this feature to the oauth2 crate and to @ximon18 for porting it to this crate.

Other Changes

• Add extra_fields() getter to StandardTokenIntrospectionResponse

Bug fixes

• Fix Rust 1.41 build (the 1.1.0 release used the matches! macro that was not introduced until 1.42)

Breaking changes

• Bump minimum supported Rust version (MSRV) to 1.42

Features

• Add support for ES256/ES384 JWT signatures

Other changes

• Fix compatibility with ring >= 0.16.16

Features

• Add support for ES256/ES384 JWT signatures

Other changes

• Fix compatibility with ring >= 0.16.16

Breaking Changes

• Drop support for reqwest 0.9 (previously enabled via the reqwest-09 feature flag); only the (default) reqwest-010 feature flag is now supported
• Migrate public API from http 0.1 to 0.2
• Drop support for futures 0.1 and remove the futures-01 and futures-03 feature flags; only async/await is now supported (without requiring any feature flags)
• Eliminate Async* traits and move the request_async methods to the underlying *Request structs
• Return error types that implement std::error::Error instead of failure::Fail
• Add Send and Sync bounds to verification functions to enable sharing across threads

NOTE: These changes track the unstable 4.x release for the oauth2 crate.

Other Changes

• Add support for the client credentials grant
• Disable deprecated OpenID Connect conformance tests

• Fix oauth2 version pin to 3.0
• Replace references to old master branch with main

• Upgrade untrusted to 0.7

Breaking Changes

• Upgrade ring to 0.16

Other Changes

• Fix UserInfo response handling when Content-Type includes a charset
• Make the retry crate only a dev dependency
• Remove hyper dev dependency
• Support application/jwk-set+json Content-Type in JWKS response
• Add Client::exchange_password method
• Switch from Rc to Arc to improve async/thread support
• Upgrade rand, itertools, and base64 dependencies
• Add AuthorizationRequest::set_redirect_url method

• Re-export oauth2::{http, url}

Breaking Changes

• Remove RefreshTokenFields and related type parameters (unnecessary since 9152d3f4d5859d224923943ae2ac6b7da7f8a850)
• Add either an Extension variant or #[non_exhaustive] to all exported enums; this raises the minimum supported Rust version to 1.40 but should reduce future breaking changes related to enums

Other Changes

• Update to oauth2 3.0.0-alpha.9, which includes reqwest 0.10 when the reqwest-010 feature flag is enabled
• Add CoreAuthErrorResponseType enum

Breaking Changes

• Add a None enum variant to CoreClientAuthMethod. This variant is not mentioned in the token_endpoint_auth_methods_supported definition, but it is mentioned in the Core spec cited by the former. At least one major OIDC provider uses this variant.

Bug Fixes

• Pin to version 3.0.0-alpha.8 of the oauth2 crate to avoid accidentally depending on request 0.10, which the crate does not yet support.

Breaking Changes

• Add support for async/await and pin to oauth2 3.0.0-alpha.7. Added new docs describing the various HTTP client interfaces. Special thanks to @Folyd for contributing this support.
• Enable CoreAuthenticationFlow by default since type_alias_enum_variants is stable. Effectively sets the minimum supported Rust version to 1.37.0.

Bug Fixes

• Fix deserialization bug in IdTokenClaims and UserInfoClaimsImpl that caused standard claims to be exposed to the deserializer for AC (additional claims). When using AC types that capture all of the remaining claims, this could lead to duplicate keys after re-serializing the claims.

Breaking changes

• Have EndUserPictureUrl, EndUserProfileUrl, and EndUserWebsiteUrl wrap a String instead of a Url

Breaking changes

• Make IdTokenFields::id_token and TokenResponse::id_token return an Option.
• Remove RefreshIdTokenFields now that it's identical to IdTokenFields.
• Remove higher rank trait bounds from NonceVerifier.
• Make DateTime arguments and return types owned values instead of references.

Other changes

• Add enable_openid_scope and disable_openid_scope methods to Client.
• Add require_audience_match and require_issuer_match methods to IdTokenVerifier.
• Make ID token deserialization tolerant of missing aud claim (defaults to empty Vec). Note that ID token validation will still fail unless require_audience_match is used to disable audience validation.
• Add IdToken::into_claims method.
• Add UserInfoClaims::standard_claims method.

Breaking changes

• Bump oauth2 dependency to 3.0.0-alpha.6, which changes the constructors for the URL-based NewTypes (AuthUrl, TokenUrl, RedirectUrl). See that crate's release notes for details. This update also renames reqwest::async_http_client to reqwest::future_http_client and each request_async method to request_future.