Thank you for this PR; as an alternative, could you slightly refactor the current function to have one build_hyper_client() (like now), and another build_insecure_http_hyper_client()? Having a secure-by-default API is probably the right thing to do in a security-sensitive area like authentication, and it would allow users to choose for themselves.

In any case, thank you for taking the time to fix this!

Should I also change the default http client built for ApplicationDefaultCredentialsAuthenticator ?

Most of the checks fail due to #178 which renamed some type parameters. It should be enough to rebase and rename C into S.

Should I also change the default http client built for ApplicationDefaultCredentialsAuthenticator ?

Sorry, which default client build do you mean?

Well since the metadata server is always over http, should I also manage any default constructors for the authenticator? or would it be too risky?

Well since the metadata server is always over http, should I also manage any default constructors for the authenticator? or would it be too risky?

I think one blocking problem is that a "secure" builder is built by default (https://docs.rs/yup-oauth2/latest/src/yup_oauth2/authenticator.rs.html#441). I'm sorry for not having this in mind earlier (I've grown somewhat estranged from this code base, unfortunately - need to take the time to re-learn it).

Maybe, after all, your original PR (allowing HTTP) is still the best solution. I wonder if there is a practical threat scenario in which this would make a difference; if somebody has access to change your token URL, they could conceivably do more dangerous things in the first place.

I'm sorry for the confusion! This crate has grown quite complex in the meantime.

After giving it some thought, I realize it is probably better to remain secure by default and have a deliberate implementation of an insecure client when using the metadata server.

So here is my proposal:
We close this PR and simply add additional documentation for examples on using the library with the metadata server

Additional documentation sounds good, although note that my commit already enabled HTTP fallback (for all I can see, the token URLs etc. are supplied by the application developer, and they should be HTTPS).