Skip to content

Releases: ramosbugs/oauth2-rs

2.0.0

14 Sep 03:37
@ramosbugs ramosbugs
2.0.0
e4a8c0d
Compare
Choose a tag to compare
2.0.0

Promote 2.0.0-beta.3 to 2.0.0.

Assets 2
Loading

3.0.0-alpha.3

04 Jul 19:14
@ramosbugs ramosbugs
3.0.0-alpha.3
da0b8ff
Compare
Choose a tag to compare
3.0.0-alpha.3 Pre-release
Pre-release
  • Remove PartialEq derivations on secret types (unsafe, non-constant-time comparisons vulnerable to timing attacks)
  • Remove some unnecessary trait bounds
  • Derive Clone for StandardTokenReponse
  • Add request_async API for non-code flows
  • Derive Eq and Hash for String new types
  • Have StandardTokenResponse::set_expires_in take Duration for consistency
  • Add example for a non-spec-compliant provider
Assets 2
Loading

2.0.0-beta.3

22 Jun 04:45
@ramosbugs ramosbugs
2.0.0-beta.3
45d367e
Compare
Choose a tag to compare
2.0.0-beta.3 Pre-release
Pre-release
  • Derive Eq, Hash for String new types
Assets 2
Loading

3.0.0-alpha.2

13 Jun 06:57
@ramosbugs ramosbugs
3.0.0-alpha.2
30bbb31
Compare
Choose a tag to compare
3.0.0-alpha.2 Pre-release
Pre-release

Security patch

The 3.0.0-alpha.1 release included a new HTTP client that utilizes the reqwest crate. By default, reqwest follows HTTP redirects. This allows a malicious OAuth2 authorization server to redirect token endpoint requests to arbitrary URLs, including internal addresses reachable from the client. Such a redirect can be used to mount an SSRF attack.

Versions prior to 3.0.0-alpha.1 are not affected. Users of 3.0.0-alpha.1 are encouraged to upgrade to 3.0.0-alpha.2 or a newer release and are discouraged from using any alpha release in a production environment.

Thanks to @d0nutptr for helping to discover this issue!

Assets 2
Loading

3.0.0-alpha.1

10 Jun 04:57
@ramosbugs ramosbugs
3.0.0-alpha.1
d3aa46a
Compare
Choose a tag to compare
3.0.0-alpha.1 Pre-release
Pre-release

Experimental new API with support for asynchronous requests and arbitrary HTTP clients.

This release features significant breaking changes from the 2.x release branch:

  • Authorization and token exchange requests now use the builder pattern.
  • curl and reqwest are included as HTTP clients; users may implement their own (passed to request or request_async for each token exchange).
  • The insecure module has been removed.
Assets 2
Loading

2.0.0-beta.2

16 Apr 05:17
@ramosbugs ramosbugs
2.0.0-beta.2
51b2a3c
Compare
Choose a tag to compare
2.0.0-beta.2 Pre-release
Pre-release
  • Move rand pin to 0.6
  • Add public methods for instantiating TokenResponse and ErrorResponse.
Assets 2
Loading

2.0.0-beta.1

30 Mar 00:07
@ramosbugs ramosbugs
2.0.0-beta.1
84b0232
Compare
Choose a tag to compare
2.0.0-beta.1 Pre-release
Pre-release

The 2.x API is now stable! No further breaking changes are expected until a future 3.x release.

This release is a promotion of 2.0.0-alpha.5 to being API stable. It contains no additional changes.

Assets 2
Loading

2.0.0-alpha.5

04 Mar 06:17
@ramosbugs ramosbugs
2.0.0-alpha.5
961076e
Compare
Choose a tag to compare
2.0.0-alpha.5 Pre-release
Pre-release
  • Derive Clone for TokenResponse and ErrorResponse
  • Have CsrfToken::new_random use URL-safe base64 encoding
  • Convert TokenResponse to a trait
  • Add exchange_refresh_token_extension for wider refresh token support
Assets 2
Loading

2.0.0-alpha.4

14 Jan 08:22
@ramosbugs ramosbugs
2.0.0-alpha.4
54301b3
Compare
Choose a tag to compare
2.0.0-alpha.4 Pre-release
Pre-release
  • Make CsrfToken and AuthorizationCode (de)serializable.
Assets 2
Loading

2.0.0-alpha.3

09 Dec 02:10
@ramosbugs ramosbugs
2.0.0-alpha.3
abfd217
Compare
Choose a tag to compare
2.0.0-alpha.3 Pre-release
Pre-release
  • Add PKCE support
  • Avoid serializing None fields
  • Add scopes to password grant
Assets 2
Loading