oauth2 ver. 1.x already be EOL

[scivola]

No description provided.

[joshbuker]

The plan is to deprecate the custom OAuth implementations entirely for Sorcery v1 (by moving to using OmniAuth).

[Gr8tDaNe]

Any info when we could hope for a release of v1?

[pboling]

Maintainer of Oauth2 here.

Oauth2 v1.x will be EOL in April 2023! Upgrading to v2 isn't hard for most use cases. Can the version restriction be loosened, so people can test with v2 before the release of sorcery v1.0?

[joshbuker]

@pboling What are the breaking changes? If it's not too much of an overhaul, I can patch Sorcery v0 in the meantime. Apologies if there's already documentation on this; I'm at a work conference and don't have time to dig super deep right now.

[pboling]

@joshbuker

• By default, keys are transformed to snake case.
  • Original keys will still work as previously, in most scenarios, thanks to snaky_hash gem.
  • However, this is a breaking change if you rely on response.parsed.to_h to retain the original case, and the original wasn't snake case, as the keys in the result will be snake case.
  • As of version 2.0.4 you can turn key transformation off with the snaky: false option.
• By default, the :auth_scheme is now :basic_auth (instead of :request_body)
  • This was default behavior before version 1.3.0, and it should not have been changed.
  • Third-party strategies and gems may need to be updated if a provider was requiring client id/secret in the request body
  • Clients should set :auth_scheme explicitly.
• Parsing errors are no longer rescued, and will bubble up.
• Default value for option OAuth2::Client - :token_url - removed leading slash to work with relative paths by default ('oauth/token')
• Default value for option OAuth2::Client - :authorize_url - removed leading slash to work with relative paths by default ('oauth/authorize')
• Removed the ability to call .error from an OAuth2::Response object
• Token is expired if expired_at time is now
• Dropped support for Ruby 1.8, 1.9, 2.0, and 2.1

That looks like a lot, but I've not seen many reports of issues with upgrading, and I suspect most people don't have to change anything.

[joshbuker]

I'll see if I can take a stab at this next week.

[joshbuker]

@scivola @Gr8tDaNe @pboling Sorcery v0.16.4 is released which includes the version bump to OAuth2 ~> 2.0

[pboling]

@joshbuker So great!!! Thank you!

[pboling]

@joshbuker ... I just noticed the OAuth 1 support relies on the oauth gem. I maintain that one as well :). I created a few release tracks so I could deprecate old Rubies. For Sorcery you should use:

spec.add_dependency "oauth", ">= 0.6.2"

This will allow people using Ruby 2.7+ to have the latest version 1.1.x, and people stuclk on Ruby 2.4 will get the latest 0.6.x series release (both are actively maintained).

There are a number of bug fixes in both, and I'm not aware of any breaking changes.

[joshbuker]

IIRC, ~> 0.5 will allow 0.6.x releases as well, but not a bad idea to bump it up to whatever the latest is regardless.

Edit: Oh, but yes this would prevent them from using 1.x. Good point.