From b5a1648ad7c3d0a1ea37f10a68ece6422e251a57 Mon Sep 17 00:00:00 2001 From: "Peter H. Boling" Date: Thu, 25 Sep 2025 08:04:14 -0600 Subject: [PATCH 01/13] =?UTF-8?q?=F0=9F=A7=91=E2=80=8D=F0=9F=92=BB=20IDE?= =?UTF-8?q?=20Settings?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .idea/copilot.data.migration.agent.xml | 6 ++++++ .idea/copilot.data.migration.ask.xml | 6 ++++++ .idea/copilot.data.migration.ask2agent.xml | 6 ++++++ .idea/copilot.data.migration.edit.xml | 6 ++++++ 4 files changed, 24 insertions(+) create mode 100644 .idea/copilot.data.migration.agent.xml create mode 100644 .idea/copilot.data.migration.ask.xml create mode 100644 .idea/copilot.data.migration.ask2agent.xml create mode 100644 .idea/copilot.data.migration.edit.xml diff --git a/.idea/copilot.data.migration.agent.xml b/.idea/copilot.data.migration.agent.xml new file mode 100644 index 00000000..4ea72a91 --- /dev/null +++ b/.idea/copilot.data.migration.agent.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/.idea/copilot.data.migration.ask.xml b/.idea/copilot.data.migration.ask.xml new file mode 100644 index 00000000..7ef04e2e --- /dev/null +++ b/.idea/copilot.data.migration.ask.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/.idea/copilot.data.migration.ask2agent.xml b/.idea/copilot.data.migration.ask2agent.xml new file mode 100644 index 00000000..1f2ea11e --- /dev/null +++ b/.idea/copilot.data.migration.ask2agent.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file diff --git a/.idea/copilot.data.migration.edit.xml b/.idea/copilot.data.migration.edit.xml new file mode 100644 index 00000000..8648f940 --- /dev/null +++ b/.idea/copilot.data.migration.edit.xml @@ -0,0 +1,6 @@ + + + + + \ No newline at end of file From 4b651294e0d0338af16936de3e18b9e63a9f7f4d Mon Sep 17 00:00:00 2001 From: "Peter H. Boling" Date: Thu, 25 Sep 2025 08:13:45 -0600 Subject: [PATCH 02/13] =?UTF-8?q?=F0=9F=94=90=20Add=20draft=20IRP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- IRP.md | 117 ++++++++++ README.md | 32 +-- SECURITY.md | 3 + docs/OAuth2.html | 2 +- docs/OAuth2/AccessToken.html | 2 +- docs/OAuth2/Authenticator.html | 2 +- docs/OAuth2/Client.html | 2 +- docs/OAuth2/Error.html | 2 +- docs/OAuth2/FilteredAttributes.html | 2 +- .../FilteredAttributes/ClassMethods.html | 2 +- docs/OAuth2/Response.html | 2 +- docs/OAuth2/Strategy.html | 2 +- docs/OAuth2/Strategy/Assertion.html | 2 +- docs/OAuth2/Strategy/AuthCode.html | 2 +- docs/OAuth2/Strategy/Base.html | 2 +- docs/OAuth2/Strategy/ClientCredentials.html | 2 +- docs/OAuth2/Strategy/Implicit.html | 2 +- docs/OAuth2/Strategy/Password.html | 2 +- docs/OAuth2/Version.html | 2 +- docs/_index.html | 67 +++--- docs/file.CHANGELOG.html | 2 +- docs/file.CITATION.html | 2 +- docs/file.CODE_OF_CONDUCT.html | 2 +- docs/file.CONTRIBUTING.html | 2 +- docs/file.FUNDING.html | 2 +- docs/file.IRP.html | 218 ++++++++++++++++++ docs/file.LICENSE.html | 2 +- docs/file.OIDC.html | 2 +- docs/file.README.html | 34 +-- docs/file.REEK.html | 2 +- docs/file.RUBOCOP.html | 2 +- docs/file.SECURITY.html | 4 +- docs/file.access_token.html | 2 +- docs/file.authenticator.html | 2 +- docs/file.client.html | 2 +- docs/file.error.html | 2 +- docs/file.filtered_attributes.html | 2 +- docs/file.oauth2-2.0.10.gem.html | 2 +- docs/file.oauth2-2.0.11.gem.html | 2 +- docs/file.oauth2-2.0.12.gem.html | 2 +- docs/file.oauth2-2.0.13.gem.html | 2 +- docs/file.oauth2-2.0.14.gem.html | 2 +- docs/file.oauth2-2.0.15.gem.html | 2 +- docs/file.oauth2-2.0.16.gem.html | 2 +- docs/file.oauth2-2.0.17.gem.html | 2 +- docs/file.oauth2.html | 2 +- docs/file.response.html | 2 +- docs/file.strategy.html | 2 +- docs/file.version.html | 2 +- docs/file_list.html | 67 +++--- docs/index.html | 34 +-- docs/top-level-namespace.html | 2 +- oauth2.gemspec | 1 + 53 files changed, 509 insertions(+), 154 deletions(-) create mode 100644 IRP.md create mode 100644 docs/file.IRP.html diff --git a/IRP.md b/IRP.md new file mode 100644 index 00000000..e80ae39a --- /dev/null +++ b/IRP.md @@ -0,0 +1,117 @@ +# Incident Response Plan (IRP) + +Status: Draft + +Purpose +------- +This Incident Response Plan (IRP) defines the steps the project maintainer(s) will follow when handling security incidents related to the `oauth2` gem. It is written for a small project with a single primary maintainer and is intended to be practical, concise, and actionable. + +Scope +----- +Applies to security incidents that affect the `oauth2` codebase, releases (gems), CI/CD infrastructure related to building and publishing the gem, repository credentials, or any compromise of project infrastructure that could impact users. + +Key assumptions +- This project is maintained primarily by a single maintainer. +- Public vulnerability disclosure is handled via Tidelift (see `SECURITY.md`). +- The maintainer will act as incident commander unless otherwise delegated. + +Contact & Roles +--------------- +- Incident Commander: Primary maintainer (repo owner). Responsible for coordinating triage, remediation, and communications. +- Secondary Contact: (optional) A trusted collaborator or organization contact if available. + +If you are an external reporter +- Do not publicly disclose details of an active vulnerability before coordination via Tidelift. +- See `SECURITY.md` for Tidelift disclosure instructions. If the reporter has questions and cannot use Tidelift, they may open a direct encrypted report as described in `SECURITY.md` (if available) or email the maintainer contact listed in the repository. + +Incident Handling Workflow (high level) +--------------------------------------- +1. Identification & Reporting + - Reports may arrive via Tidelift, issue tracker, direct email, or third-party advisories. + - Immediately acknowledge receipt (within 24-72 hours) via the reporting channel. + +2. Triage & Initial Assessment (first 72 hours) + - Confirm the report is not duplicative and gather: reproducer, affected versions, attack surface, exploitability, and CVSS-like severity estimate. + - Verify the issue against the codebase and reproduce locally if possible. + - Determine scope: which versions are affected, whether the issue is in code paths executed in common setups, and whether a workaround exists. + +3. Containment & Mitigation + - If a simple mitigation or workaround (configuration change, safe default, or recommended upgrade) exists, document it clearly in the issue/Tidelift advisory. + - If immediate removal of a release is required (rare), consult Tidelift for coordinated takedown and notify package hosts if applicable. + +4. Remediation & Patch + - Prepare a fix in a branch with tests and changelog entries. Prefer minimal, well-tested changes. + - Include tests that reproduce the faulty behavior and demonstrate the fix. + - Hardening: add fuzz tests, input validation, or additional checks as appropriate. + +5. Release & Disclosure + - Coordinate disclosure through Tidelift per `SECURITY.md` timelines. Aim for a coordinated disclosure and patch release to minimize risk to users. + - Publish a patch release (increment gem version) and an advisory via Tidelift. + - Update `CHANGELOG.md` and repository release notes with non-sensitive details. + +6. Post-Incident + - Produce a short postmortem: timeline, root cause, actions taken, and follow-ups. + - Add/adjust tests and CI checks to prevent regressions. + - If credentials or infrastructure were compromised, rotate secrets and audit access. + +Severity classification (guidance) +--------------------------------- +- High/Critical: Remote code execution, data exfiltration, or any vulnerability that can be exploited without user interaction. Immediate action and prioritized patching. +- Medium: Privilege escalation, sensitive information leaks that require specific conditions. Patch in the next release cycle with advisory. +- Low: Minor information leaks, UI issues, or non-exploitable bugs. Fix normally and include in the next scheduled release. + +Preservation of evidence +------------------------ +- Preserve all reporter-provided data, logs, and reproducer code in a secure location (local encrypted storage or private branch) for the investigation. +- Do not publish evidence that would enable exploitation before coordinated disclosure. + +Communication templates +----------------------- +Acknowledgement (to reporter) + +"Thank you for reporting this issue. I've received your report and will triage it within 72 hours. If you can, please provide reproduction steps, affected versions, and any exploit PoC. I will coordinate disclosure through Tidelift per the project's security policy." + +Public advisory (after patch is ready) + +"A security advisory for oauth2 (versions X.Y.Z) has been published via Tidelift. Please upgrade to version A.B.C which patches [brief description]. See the advisory for details and recommended mitigations." + +Runbook: Quick steps for a maintainer to patch and release +--------------------------------------------------------- +1. Create a branch: `git checkout -b fix/security-brief-description` +2. Reproduce the issue locally and add a regression spec in `spec/`. +3. Implement the fix and run the test suite: `bundle exec rspec` (or the project's preferred test command). +4. Bump version in `lib/oauth2/version.rb` following semantic versioning. +5. Update `CHANGELOG.md` with an entry describing the fix (avoid exploit details). +6. Commit and push the branch, open a PR, and merge after approvals. +7. Build and push the gem: `gem build oauth2.gemspec && gem push pkg/...` (coordinate with Tidelift before public push if disclosure is coordinated). +8. Publish a release on GitHub and ensure the Tidelift advisory is posted. + +Operational notes +----------------- +- Secrets: Use local encrypted storage for any sensitive reporter data. If repository or CI secrets may be compromised, rotate them immediately and update dependent services. +- Access control: Limit who can publish gems and who has admin access to the repo. Keep an up-to-date list of collaborators in a secure place. + +Legal & regulatory +------------------ +- If the incident involves user data or has legal implications, consult legal counsel or the maintainers' employer as appropriate. The maintainer should document the timeline and all communications. + +Retrospective & continuous improvement +------------------------------------- +After an incident, perform a brief post-incident review covering: +- What happened and why +- What was done to contain and remediate +- What tests or process changes will prevent recurrence +- Assign owners and deadlines for follow-up tasks + +References +---------- +- See `SECURITY.md` for the project's official disclosure channel (Tidelift). + +Appendix: Example checklist for an incident +------------------------------------------ +- [ ] Acknowledge report to reporter (24-72 hours) +- [ ] Reproduce and classify severity +- [ ] Prepare and test a fix in a branch +- [ ] Coordinate disclosure via Tidelift +- [ ] Publish patch release and advisory +- [ ] Postmortem and follow-up actions diff --git a/README.md b/README.md index f8e13f12..15f081c5 100644 --- a/README.md +++ b/README.md @@ -129,19 +129,19 @@ If it seems like you are in the wrong place, you might try one of these: ## 💡 Info you can shake a stick at -| Tokens to Remember | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace] | -|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Works with JRuby | ![JRuby 9.1 Compat][💎jruby-9.1i] ![JRuby 9.2 Compat][💎jruby-9.2i] ![JRuby 9.3 Compat][💎jruby-9.3i]
[![JRuby 9.4 Compat][💎jruby-9.4i]][🚎10-j-wf] [![JRuby 10.0 Compat][💎jruby-c-i]][🚎11-c-wf] [![JRuby HEAD Compat][💎jruby-headi]][🚎3-hd-wf] | -| Works with Truffle Ruby | ![Truffle Ruby 22.3 Compat][💎truby-22.3i] ![Truffle Ruby 23.0 Compat][💎truby-23.0i]
[![Truffle Ruby 23.1 Compat][💎truby-23.1i]][🚎9-t-wf] [![Truffle Ruby 24.1 Compat][💎truby-c-i]][🚎11-c-wf] | -| Works with MRI Ruby 3 | [![Ruby 3.0 Compat][💎ruby-3.0i]][🚎4-lg-wf] [![Ruby 3.1 Compat][💎ruby-3.1i]][🚎6-s-wf] [![Ruby 3.2 Compat][💎ruby-3.2i]][🚎6-s-wf] [![Ruby 3.3 Compat][💎ruby-3.3i]][🚎6-s-wf] [![Ruby 3.4 Compat][💎ruby-c-i]][🚎11-c-wf] [![Ruby HEAD Compat][💎ruby-headi]][🚎3-hd-wf] | -| Works with MRI Ruby 2 | ![Ruby 2.2 Compat][💎ruby-2.2i]
[![Ruby 2.3 Compat][💎ruby-2.3i]][🚎1-an-wf] [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎1-an-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎1-an-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎7-us-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎7-us-wf] | -| Support & Community | [![Join Me on Daily.dev's RubyFriends][✉️ruby-friends-img]][✉️ruby-friends] [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] [![Get help from me on Upwork][👨🏼‍🏫expsup-upwork-img]][👨🏼‍🏫expsup-upwork] [![Get help from me on Codementor][👨🏼‍🏫expsup-codementor-img]][👨🏼‍🏫expsup-codementor] | -| Source | [![Source on GitLab.com][📜src-gl-img]][📜src-gl] [![Source on CodeBerg.org][📜src-cb-img]][📜src-cb] [![Source on Github.com][📜src-gh-img]][📜src-gh] [![The best SHA: dQw4w9WgXcQ!][🧮kloc-img]][🧮kloc] | -| Documentation | [![Current release on RubyDoc.info][📜docs-cr-rd-img]][🚎yard-current] [![YARD on Galtzo.com][📜docs-head-rd-img]][🚎yard-head] [![Maintainer Blog][🚂maint-blog-img]][🚂maint-blog] [![GitLab Wiki][📜gl-wiki-img]][📜gl-wiki] [![GitHub Wiki][📜gh-wiki-img]][📜gh-wiki] | -| Compliance | [![License: MIT][📄license-img]][📄license-ref] [![Compatible with Apache Software Projects: Verified by SkyWalking Eyes][📄license-compat-img]][📄license-compat] [![📄ilo-declaration-img]][📄ilo-declaration] [![Security Policy][🔐security-img]][🔐security] [![Contributor Covenant 2.1][🪇conduct-img]][🪇conduct] [![SemVer 2.0.0][📌semver-img]][📌semver] | -| Style | [![Enforced Code Style Linter][💎rlts-img]][💎rlts] [![Keep-A-Changelog 1.0.0][📗keep-changelog-img]][📗keep-changelog] [![Gitmoji Commits][📌gitmoji-img]][📌gitmoji] [![Compatibility appraised by: appraisal2][💎appraisal2-img]][💎appraisal2] | -| Maintainer 🎖️ | [![Follow Me on LinkedIn][💖🖇linkedin-img]][💖🖇linkedin] [![Follow Me on Ruby.Social][💖🐘ruby-mast-img]][💖🐘ruby-mast] [![Follow Me on Bluesky][💖🦋bluesky-img]][💖🦋bluesky] [![Contact Maintainer][🚂maint-contact-img]][🚂maint-contact] [![My technical writing][💖💁🏼‍♂️devto-img]][💖💁🏼‍♂️devto] | -| `...` 💖 | [![Find Me on WellFound:][💖✌️wellfound-img]][💖✌️wellfound] [![Find Me on CrunchBase][💖💲crunchbase-img]][💖💲crunchbase] [![My LinkTree][💖🌳linktree-img]][💖🌳linktree] [![More About Me][💖💁🏼‍♂️aboutme-img]][💖💁🏼‍♂️aboutme] [🧊][💖🧊berg] [🐙][💖🐙hub] [🛖][💖🛖hut] [🧪][💖🧪lab] | +| Tokens to Remember | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace] | +|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Works with JRuby | ![JRuby 9.1 Compat][💎jruby-9.1i] ![JRuby 9.2 Compat][💎jruby-9.2i] ![JRuby 9.3 Compat][💎jruby-9.3i]
[![JRuby 9.4 Compat][💎jruby-9.4i]][🚎10-j-wf] [![JRuby 10.0 Compat][💎jruby-c-i]][🚎11-c-wf] [![JRuby HEAD Compat][💎jruby-headi]][🚎3-hd-wf] | +| Works with Truffle Ruby | ![Truffle Ruby 22.3 Compat][💎truby-22.3i] ![Truffle Ruby 23.0 Compat][💎truby-23.0i]
[![Truffle Ruby 23.1 Compat][💎truby-23.1i]][🚎9-t-wf] [![Truffle Ruby 24.1 Compat][💎truby-c-i]][🚎11-c-wf] | +| Works with MRI Ruby 3 | [![Ruby 3.0 Compat][💎ruby-3.0i]][🚎4-lg-wf] [![Ruby 3.1 Compat][💎ruby-3.1i]][🚎6-s-wf] [![Ruby 3.2 Compat][💎ruby-3.2i]][🚎6-s-wf] [![Ruby 3.3 Compat][💎ruby-3.3i]][🚎6-s-wf] [![Ruby 3.4 Compat][💎ruby-c-i]][🚎11-c-wf] [![Ruby HEAD Compat][💎ruby-headi]][🚎3-hd-wf] | +| Works with MRI Ruby 2 | ![Ruby 2.2 Compat][💎ruby-2.2i]
[![Ruby 2.3 Compat][💎ruby-2.3i]][🚎1-an-wf] [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎1-an-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎1-an-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎7-us-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎7-us-wf] | +| Support & Community | [![Join Me on Daily.dev's RubyFriends][✉️ruby-friends-img]][✉️ruby-friends] [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] [![Get help from me on Upwork][👨🏼‍🏫expsup-upwork-img]][👨🏼‍🏫expsup-upwork] [![Get help from me on Codementor][👨🏼‍🏫expsup-codementor-img]][👨🏼‍🏫expsup-codementor] | +| Source | [![Source on GitLab.com][📜src-gl-img]][📜src-gl] [![Source on CodeBerg.org][📜src-cb-img]][📜src-cb] [![Source on Github.com][📜src-gh-img]][📜src-gh] [![The best SHA: dQw4w9WgXcQ!][🧮kloc-img]][🧮kloc] | +| Documentation | [![Current release on RubyDoc.info][📜docs-cr-rd-img]][🚎yard-current] [![YARD on Galtzo.com][📜docs-head-rd-img]][🚎yard-head] [![Maintainer Blog][🚂maint-blog-img]][🚂maint-blog] [![GitLab Wiki][📜gl-wiki-img]][📜gl-wiki] [![GitHub Wiki][📜gh-wiki-img]][📜gh-wiki] | +| Compliance | [![License: MIT][📄license-img]][📄license-ref] [![Compatible with Apache Software Projects: Verified by SkyWalking Eyes][📄license-compat-img]][📄license-compat] [![📄ilo-declaration-img]][📄ilo-declaration] [![Incident Response Plan][🔐irp-img]][🔐irp] [![Security Policy][🔐security-img]][🔐security] [![Contributor Covenant 2.1][🪇conduct-img]][🪇conduct] [![SemVer 2.0.0][📌semver-img]][📌semver] | +| Style | [![Enforced Code Style Linter][💎rlts-img]][💎rlts] [![Keep-A-Changelog 1.0.0][📗keep-changelog-img]][📗keep-changelog] [![Gitmoji Commits][📌gitmoji-img]][📌gitmoji] [![Compatibility appraised by: appraisal2][💎appraisal2-img]][💎appraisal2] | +| Maintainer 🎖️ | [![Follow Me on LinkedIn][💖🖇linkedin-img]][💖🖇linkedin] [![Follow Me on Ruby.Social][💖🐘ruby-mast-img]][💖🐘ruby-mast] [![Follow Me on Bluesky][💖🦋bluesky-img]][💖🦋bluesky] [![Contact Maintainer][🚂maint-contact-img]][🚂maint-contact] [![My technical writing][💖💁🏼‍♂️devto-img]][💖💁🏼‍♂️devto] | +| `...` 💖 | [![Find Me on WellFound:][💖✌️wellfound-img]][💖✌️wellfound] [![Find Me on CrunchBase][💖💲crunchbase-img]][💖💲crunchbase] [![My LinkTree][💖🌳linktree-img]][💖🌳linktree] [![More About Me][💖💁🏼‍♂️aboutme-img]][💖💁🏼‍♂️aboutme] [🧊][💖🧊berg] [🐙][💖🐙hub] [🛖][💖🛖hut] [🧪][💖🧪lab] | ### Compatibility @@ -511,7 +511,7 @@ of a major release, support for that Ruby version may be dropped. | 3️⃣ | older | N/A | Best of luck to you! | Please upgrade! | | NOTE: The 1.4 series will only receive critical security updates. -See [SECURITY.md][🔐security]. +See [SECURITY.md][🔐security] and [IRP.md][🔐irp]. ## ⚙️ Configuration @@ -1325,7 +1325,7 @@ I’m developing a new library, [floss_funding][🖇floss-funding-gem], designed To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security). Tidelift will coordinate the fix and disclosure. -For more see [SECURITY.md][🔐security]. +For more see [SECURITY.md][🔐security] and [IRP.md][🔐irp]. ## 🤝 Contributing @@ -1648,6 +1648,8 @@ Thanks for RTFM. ☺️ [🧮kloc-img]: https://img.shields.io/badge/KLOC-0.526-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue [🔐security]: SECURITY.md [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat +[🔐irp]: IRP.md +[🔐irp-img]: https://img.shields.io/badge/irp-259D6C.svg?style=flat [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year [📄license]: LICENSE.txt [📄license-ref]: https://opensource.org/licenses/MIT diff --git a/SECURITY.md b/SECURITY.md index a319529f..e295726c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,6 +12,8 @@ To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security). Tidelift will coordinate the fix and disclosure. +More detailed explanation of the process is in [IRP.md][IRP] + ## Additional Support If you are interested in support for versions older than the latest release, @@ -19,3 +21,4 @@ please consider sponsoring the project / maintainer @ https://liberapay.com/pbol or find other sponsorship links in the [README]. [README]: README.md +[IRP]: IRP.md diff --git a/docs/OAuth2.html b/docs/OAuth2.html index 3b664d6f..1e3c3468 100644 --- a/docs/OAuth2.html +++ b/docs/OAuth2.html @@ -415,7 +415,7 @@

diff --git a/docs/OAuth2/AccessToken.html b/docs/OAuth2/AccessToken.html index ff4414d7..f7d97474 100644 --- a/docs/OAuth2/AccessToken.html +++ b/docs/OAuth2/AccessToken.html @@ -3083,7 +3083,7 @@

diff --git a/docs/OAuth2/Authenticator.html b/docs/OAuth2/Authenticator.html index 241b47cc..5f2dda28 100644 --- a/docs/OAuth2/Authenticator.html +++ b/docs/OAuth2/Authenticator.html @@ -883,7 +883,7 @@

diff --git a/docs/OAuth2/Client.html b/docs/OAuth2/Client.html index 87be2028..6bafad99 100644 --- a/docs/OAuth2/Client.html +++ b/docs/OAuth2/Client.html @@ -2656,7 +2656,7 @@

diff --git a/docs/OAuth2/Error.html b/docs/OAuth2/Error.html index a53c4daf..c4633eda 100644 --- a/docs/OAuth2/Error.html +++ b/docs/OAuth2/Error.html @@ -772,7 +772,7 @@

diff --git a/docs/OAuth2/FilteredAttributes.html b/docs/OAuth2/FilteredAttributes.html index fc8d7c2b..06bf41be 100644 --- a/docs/OAuth2/FilteredAttributes.html +++ b/docs/OAuth2/FilteredAttributes.html @@ -335,7 +335,7 @@

diff --git a/docs/OAuth2/FilteredAttributes/ClassMethods.html b/docs/OAuth2/FilteredAttributes/ClassMethods.html index 0c5e8f29..fd1d9162 100644 --- a/docs/OAuth2/FilteredAttributes/ClassMethods.html +++ b/docs/OAuth2/FilteredAttributes/ClassMethods.html @@ -280,7 +280,7 @@

diff --git a/docs/OAuth2/Response.html b/docs/OAuth2/Response.html index f0b7430d..8136150c 100644 --- a/docs/OAuth2/Response.html +++ b/docs/OAuth2/Response.html @@ -1619,7 +1619,7 @@

diff --git a/docs/OAuth2/Strategy.html b/docs/OAuth2/Strategy.html index 707ec196..c5eb1311 100644 --- a/docs/OAuth2/Strategy.html +++ b/docs/OAuth2/Strategy.html @@ -107,7 +107,7 @@

Defined Under Namespace

diff --git a/docs/OAuth2/Strategy/Assertion.html b/docs/OAuth2/Strategy/Assertion.html index ae3bbd75..8dcb69cb 100644 --- a/docs/OAuth2/Strategy/Assertion.html +++ b/docs/OAuth2/Strategy/Assertion.html @@ -481,7 +481,7 @@

diff --git a/docs/OAuth2/Strategy/AuthCode.html b/docs/OAuth2/Strategy/AuthCode.html index b87c6a3d..0d6bf5a3 100644 --- a/docs/OAuth2/Strategy/AuthCode.html +++ b/docs/OAuth2/Strategy/AuthCode.html @@ -483,7 +483,7 @@

diff --git a/docs/OAuth2/Strategy/Base.html b/docs/OAuth2/Strategy/Base.html index da18d6d0..dbdc8af0 100644 --- a/docs/OAuth2/Strategy/Base.html +++ b/docs/OAuth2/Strategy/Base.html @@ -195,7 +195,7 @@

diff --git a/docs/OAuth2/Strategy/ClientCredentials.html b/docs/OAuth2/Strategy/ClientCredentials.html index a5a81923..c5ed61d8 100644 --- a/docs/OAuth2/Strategy/ClientCredentials.html +++ b/docs/OAuth2/Strategy/ClientCredentials.html @@ -343,7 +343,7 @@

diff --git a/docs/OAuth2/Strategy/Implicit.html b/docs/OAuth2/Strategy/Implicit.html index c43912ac..42064b4c 100644 --- a/docs/OAuth2/Strategy/Implicit.html +++ b/docs/OAuth2/Strategy/Implicit.html @@ -420,7 +420,7 @@

diff --git a/docs/OAuth2/Strategy/Password.html b/docs/OAuth2/Strategy/Password.html index 791d98f0..47344a51 100644 --- a/docs/OAuth2/Strategy/Password.html +++ b/docs/OAuth2/Strategy/Password.html @@ -374,7 +374,7 @@

diff --git a/docs/OAuth2/Version.html b/docs/OAuth2/Version.html index 7ff03632..c9814a83 100644 --- a/docs/OAuth2/Version.html +++ b/docs/OAuth2/Version.html @@ -111,7 +111,7 @@

diff --git a/docs/_index.html b/docs/_index.html index 65d62e35..a97b0e0d 100644 --- a/docs/_index.html +++ b/docs/_index.html @@ -75,97 +75,100 @@

File Listing

  • FUNDING
    • -
  • OIDC
    • +
  • IRP
    • -
  • RUBOCOP
    • +
  • OIDC
    • -
  • SECURITY
    • +
  • RUBOCOP
    • -
  • LICENSE
    • +
  • SECURITY
    • -
  • CITATION
    • +
  • LICENSE
    • -
  • oauth2-2.0.10.gem
    • +
  • CITATION
    • -
  • oauth2-2.0.11.gem
    • +
  • oauth2-2.0.10.gem
    • -
  • oauth2-2.0.12.gem
    • +
  • oauth2-2.0.11.gem
    • -
  • oauth2-2.0.13.gem
    • +
  • oauth2-2.0.12.gem
    • -
  • oauth2-2.0.14.gem
    • +
  • oauth2-2.0.13.gem
    • -
  • oauth2-2.0.15.gem
    • +
  • oauth2-2.0.14.gem
    • -
  • oauth2-2.0.16.gem
    • +
  • oauth2-2.0.15.gem
    • -
  • oauth2-2.0.17.gem
    • +
  • oauth2-2.0.16.gem
    • -
  • oauth2-2.0.10.gem
    • +
  • oauth2-2.0.17.gem
    • -
  • oauth2-2.0.11.gem
    • +
  • oauth2-2.0.10.gem
    • -
  • oauth2-2.0.12.gem
    • +
  • oauth2-2.0.11.gem
    • -
  • oauth2-2.0.13.gem
    • +
  • oauth2-2.0.12.gem
    • -
  • oauth2-2.0.14.gem
    • +
  • oauth2-2.0.13.gem
    • -
  • oauth2-2.0.15.gem
    • +
  • oauth2-2.0.14.gem
    • -
  • oauth2-2.0.16.gem
    • +
  • oauth2-2.0.15.gem
    • -
  • oauth2-2.0.17.gem
    • +
  • oauth2-2.0.16.gem
    • -
  • REEK
    • +
  • oauth2-2.0.17.gem
    • -
  • access_token
    • +
  • REEK
    • -
  • authenticator
    • +
  • access_token
    • -
  • client
    • +
  • authenticator
    • -
  • error
    • +
  • client
    • -
  • filtered_attributes
    • +
  • error
    • -
  • response
    • +
  • filtered_attributes
    • -
  • strategy
    • +
  • response
    • -
  • version
    • +
  • strategy
    • -
  • oauth2
    • +
  • version
    • + + +
  • oauth2
    • @@ -390,7 +393,7 @@

    Namespace Listing A-Z

    diff --git a/docs/file.CHANGELOG.html b/docs/file.CHANGELOG.html index b9eb2bb9..eac16fe4 100644 --- a/docs/file.CHANGELOG.html +++ b/docs/file.CHANGELOG.html @@ -1290,7 +1290,7 @@

    diff --git a/docs/file.CITATION.html b/docs/file.CITATION.html index 34983c8c..f5619201 100644 --- a/docs/file.CITATION.html +++ b/docs/file.CITATION.html @@ -82,7 +82,7 @@ diff --git a/docs/file.CODE_OF_CONDUCT.html b/docs/file.CODE_OF_CONDUCT.html index 2777fe33..4b2c9cff 100644 --- a/docs/file.CODE_OF_CONDUCT.html +++ b/docs/file.CODE_OF_CONDUCT.html @@ -191,7 +191,7 @@

    Attribution

    diff --git a/docs/file.CONTRIBUTING.html b/docs/file.CONTRIBUTING.html index b4db95e5..892243e0 100644 --- a/docs/file.CONTRIBUTING.html +++ b/docs/file.CONTRIBUTING.html @@ -308,7 +308,7 @@

    Manual process

    diff --git a/docs/file.FUNDING.html b/docs/file.FUNDING.html index 79bbca6a..dddb80ee 100644 --- a/docs/file.FUNDING.html +++ b/docs/file.FUNDING.html @@ -104,7 +104,7 @@

    Another Way to Support Open diff --git a/docs/file.IRP.html b/docs/file.IRP.html new file mode 100644 index 00000000..1272fe95 --- /dev/null +++ b/docs/file.IRP.html @@ -0,0 +1,218 @@ + + + + + + + File: IRP + + — Documentation by YARD 0.9.37 + + + + + + + + + + + + + + + + + +
    + +
    +
    + +
    + + +

    Incident Response Plan (IRP)

    + +

    Status: Draft

    + +

    Purpose

    +

    This Incident Response Plan (IRP) defines the steps the project maintainer(s) will follow when handling security incidents related to the oauth2 gem. It is written for a small project with a single primary maintainer and is intended to be practical, concise, and actionable.

    + +

    Scope

    +

    Applies to security incidents that affect the oauth2 codebase, releases (gems), CI/CD infrastructure related to building and publishing the gem, repository credentials, or any compromise of project infrastructure that could impact users.

    + +

    Key assumptions

    +
      +
    • This project is maintained primarily by a single maintainer.
      • +
    • Public vulnerability disclosure is handled via Tidelift (see SECURITY.md).
      • +
    • The maintainer will act as incident commander unless otherwise delegated.
      • +
    + +

    Contact & Roles

    +
      +
    • Incident Commander: Primary maintainer (repo owner). Responsible for coordinating triage, remediation, and communications.
      • +
    • Secondary Contact: (optional) A trusted collaborator or organization contact if available.
      • +
    + +

    If you are an external reporter

    +
      +
    • Do not publicly disclose details of an active vulnerability before coordination via Tidelift.
      • +
    • See SECURITY.md for Tidelift disclosure instructions. If the reporter has questions and cannot use Tidelift, they may open a direct encrypted report as described in SECURITY.md (if available) or email the maintainer contact listed in the repository.
      • +
    + +

    Incident Handling Workflow (high level)

    +
      +
    1. Identification & Reporting +
        +
      • Reports may arrive via Tidelift, issue tracker, direct email, or third-party advisories.
        • +
      • Immediately acknowledge receipt (within 24-72 hours) via the reporting channel.
        • +
      +
      2. +
    2. Triage & Initial Assessment (first 72 hours) +
        +
      • Confirm the report is not duplicative and gather: reproducer, affected versions, attack surface, exploitability, and CVSS-like severity estimate.
        • +
      • Verify the issue against the codebase and reproduce locally if possible.
        • +
      • Determine scope: which versions are affected, whether the issue is in code paths executed in common setups, and whether a workaround exists.
        • +
      +
      3. +
    3. Containment & Mitigation +
        +
      • If a simple mitigation or workaround (configuration change, safe default, or recommended upgrade) exists, document it clearly in the issue/Tidelift advisory.
        • +
      • If immediate removal of a release is required (rare), consult Tidelift for coordinated takedown and notify package hosts if applicable.
        • +
      +
      4. +
    4. Remediation & Patch +
        +
      • Prepare a fix in a branch with tests and changelog entries. Prefer minimal, well-tested changes.
        • +
      • Include tests that reproduce the faulty behavior and demonstrate the fix.
        • +
      • Hardening: add fuzz tests, input validation, or additional checks as appropriate.
        • +
      +
      5. +
    5. Release & Disclosure +
        +
      • Coordinate disclosure through Tidelift per SECURITY.md timelines. Aim for a coordinated disclosure and patch release to minimize risk to users.
        • +
      • Publish a patch release (increment gem version) and an advisory via Tidelift.
        • +
      • Update CHANGELOG.md and repository release notes with non-sensitive details.
        • +
      +
      6. +
    6. Post-Incident +
        +
      • Produce a short postmortem: timeline, root cause, actions taken, and follow-ups.
        • +
      • Add/adjust tests and CI checks to prevent regressions.
        • +
      • If credentials or infrastructure were compromised, rotate secrets and audit access.
        • +
      +
      7. +
    + +

    Severity classification (guidance)

    +
      +
    • High/Critical: Remote code execution, data exfiltration, or any vulnerability that can be exploited without user interaction. Immediate action and prioritized patching.
      • +
    • Medium: Privilege escalation, sensitive information leaks that require specific conditions. Patch in the next release cycle with advisory.
      • +
    • Low: Minor information leaks, UI issues, or non-exploitable bugs. Fix normally and include in the next scheduled release.
      • +
    + +

    Preservation of evidence

    +
      +
    • Preserve all reporter-provided data, logs, and reproducer code in a secure location (local encrypted storage or private branch) for the investigation.
      • +
    • Do not publish evidence that would enable exploitation before coordinated disclosure.
      • +
    + +

    Communication templates

    +

    Acknowledgement (to reporter)

    + +

    “Thank you for reporting this issue. I’ve received your report and will triage it within 72 hours. If you can, please provide reproduction steps, affected versions, and any exploit PoC. I will coordinate disclosure through Tidelift per the project’s security policy.”

    + +

    Public advisory (after patch is ready)

    + +

    “A security advisory for oauth2 (versions X.Y.Z) has been published via Tidelift. Please upgrade to version A.B.C which patches [brief description]. See the advisory for details and recommended mitigations.”

    + +

    Runbook: Quick steps for a maintainer to patch and release

    +
      +
    1. Create a branch: git checkout -b fix/security-brief-description +
      2. +
    2. Reproduce the issue locally and add a regression spec in spec/.
      3. +
    3. Implement the fix and run the test suite: bundle exec rspec (or the project’s preferred test command).
      4. +
    4. Bump version in lib/oauth2/version.rb following semantic versioning.
      5. +
    5. Update CHANGELOG.md with an entry describing the fix (avoid exploit details).
      6. +
    6. Commit and push the branch, open a PR, and merge after approvals.
      7. +
    7. Build and push the gem: gem build oauth2.gemspec && gem push pkg/... (coordinate with Tidelift before public push if disclosure is coordinated).
      8. +
    8. Publish a release on GitHub and ensure the Tidelift advisory is posted.
      9. +
    + +

    Operational notes

    +
      +
    • Secrets: Use local encrypted storage for any sensitive reporter data. If repository or CI secrets may be compromised, rotate them immediately and update dependent services.
      • +
    • Access control: Limit who can publish gems and who has admin access to the repo. Keep an up-to-date list of collaborators in a secure place.
      • +
    + +

    Legal & regulatory

    +
      +
    • If the incident involves user data or has legal implications, consult legal counsel or the maintainers’ employer as appropriate. The maintainer should document the timeline and all communications.
      • +
    + +

    Retrospective & continuous improvement

    +

    After an incident, perform a brief post-incident review covering:

    +
      +
    • What happened and why
      • +
    • What was done to contain and remediate
      • +
    • What tests or process changes will prevent recurrence
      • +
    • Assign owners and deadlines for follow-up tasks
      • +
    + +

    References

    +
      +
    • See SECURITY.md for the project’s official disclosure channel (Tidelift).
      • +
    + +

    Appendix: Example checklist for an incident

    +
      +
    • +Acknowledge report to reporter (24-72 hours)
      • +
    • +Reproduce and classify severity
      • +
    • +Prepare and test a fix in a branch
      • +
    • +Coordinate disclosure via Tidelift
      • +
    • +Publish patch release and advisory
      • +
    • +Postmortem and follow-up actions
      • +
    +
    + + + +
    + + \ No newline at end of file diff --git a/docs/file.LICENSE.html b/docs/file.LICENSE.html index b0b6f9ae..4d29fd40 100644 --- a/docs/file.LICENSE.html +++ b/docs/file.LICENSE.html @@ -60,7 +60,7 @@
    MIT License

    Copyright (c) 2017-2025 Peter H. Boling, of Galtzo.com, and oauth2 contributors
    Copyright (c) 2011-2013 Michael Bleigh and Intridea, Inc.

    Permission is hereby granted, free of charge, to any person obtaining a copy
    of this software and associated documentation files (the "Software"), to deal
    in the Software without restriction, including without limitation the rights
    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    copies of the Software, and to permit persons to whom the Software is
    furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in all
    copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
    SOFTWARE.
    diff --git a/docs/file.OIDC.html b/docs/file.OIDC.html index 8a5530ca..acaec720 100644 --- a/docs/file.OIDC.html +++ b/docs/file.OIDC.html @@ -247,7 +247,7 @@

    Raw OIDC with ruby-oauth/oauth2

    diff --git a/docs/file.README.html b/docs/file.README.html index 540e666f..bd7449c0 100644 --- a/docs/file.README.html +++ b/docs/file.README.html @@ -181,19 +181,19 @@

    Quick Examples

    ## 💡 Info you can shake a stick at -| Tokens to Remember | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace] | -|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Works with JRuby | ![JRuby 9.1 Compat][💎jruby-9.1i] ![JRuby 9.2 Compat][💎jruby-9.2i] ![JRuby 9.3 Compat][💎jruby-9.3i]
    [![JRuby 9.4 Compat][💎jruby-9.4i]][🚎10-j-wf] [![JRuby 10.0 Compat][💎jruby-c-i]][🚎11-c-wf] [![JRuby HEAD Compat][💎jruby-headi]][🚎3-hd-wf] | -| Works with Truffle Ruby | ![Truffle Ruby 22.3 Compat][💎truby-22.3i] ![Truffle Ruby 23.0 Compat][💎truby-23.0i]
    [![Truffle Ruby 23.1 Compat][💎truby-23.1i]][🚎9-t-wf] [![Truffle Ruby 24.1 Compat][💎truby-c-i]][🚎11-c-wf] | -| Works with MRI Ruby 3 | [![Ruby 3.0 Compat][💎ruby-3.0i]][🚎4-lg-wf] [![Ruby 3.1 Compat][💎ruby-3.1i]][🚎6-s-wf] [![Ruby 3.2 Compat][💎ruby-3.2i]][🚎6-s-wf] [![Ruby 3.3 Compat][💎ruby-3.3i]][🚎6-s-wf] [![Ruby 3.4 Compat][💎ruby-c-i]][🚎11-c-wf] [![Ruby HEAD Compat][💎ruby-headi]][🚎3-hd-wf] | -| Works with MRI Ruby 2 | ![Ruby 2.2 Compat][💎ruby-2.2i]
    [![Ruby 2.3 Compat][💎ruby-2.3i]][🚎1-an-wf] [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎1-an-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎1-an-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎7-us-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎7-us-wf] | -| Support & Community | [![Join Me on Daily.dev's RubyFriends][✉️ruby-friends-img]][✉️ruby-friends] [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] [![Get help from me on Upwork][👨🏼‍🏫expsup-upwork-img]][👨🏼‍🏫expsup-upwork] [![Get help from me on Codementor][👨🏼‍🏫expsup-codementor-img]][👨🏼‍🏫expsup-codementor] | -| Source | [![Source on GitLab.com][📜src-gl-img]][📜src-gl] [![Source on CodeBerg.org][📜src-cb-img]][📜src-cb] [![Source on Github.com][📜src-gh-img]][📜src-gh] [![The best SHA: dQw4w9WgXcQ!][🧮kloc-img]][🧮kloc] | -| Documentation | [![Current release on RubyDoc.info][📜docs-cr-rd-img]][🚎yard-current] [![YARD on Galtzo.com][📜docs-head-rd-img]][🚎yard-head] [![Maintainer Blog][🚂maint-blog-img]][🚂maint-blog] [![GitLab Wiki][📜gl-wiki-img]][📜gl-wiki] [![GitHub Wiki][📜gh-wiki-img]][📜gh-wiki] | -| Compliance | [![License: MIT][📄license-img]][📄license-ref] [![Compatible with Apache Software Projects: Verified by SkyWalking Eyes][📄license-compat-img]][📄license-compat] [![📄ilo-declaration-img]][📄ilo-declaration] [![Security Policy][🔐security-img]][🔐security] [![Contributor Covenant 2.1][🪇conduct-img]][🪇conduct] [![SemVer 2.0.0][📌semver-img]][📌semver] | -| Style | [![Enforced Code Style Linter][💎rlts-img]][💎rlts] [![Keep-A-Changelog 1.0.0][📗keep-changelog-img]][📗keep-changelog] [![Gitmoji Commits][📌gitmoji-img]][📌gitmoji] [![Compatibility appraised by: appraisal2][💎appraisal2-img]][💎appraisal2] | -| Maintainer 🎖️ | [![Follow Me on LinkedIn][💖🖇linkedin-img]][💖🖇linkedin] [![Follow Me on Ruby.Social][💖🐘ruby-mast-img]][💖🐘ruby-mast] [![Follow Me on Bluesky][💖🦋bluesky-img]][💖🦋bluesky] [![Contact Maintainer][🚂maint-contact-img]][🚂maint-contact] [![My technical writing][💖💁🏼‍♂️devto-img]][💖💁🏼‍♂️devto] | -| `...` 💖 | [![Find Me on WellFound:][💖✌️wellfound-img]][💖✌️wellfound] [![Find Me on CrunchBase][💖💲crunchbase-img]][💖💲crunchbase] [![My LinkTree][💖🌳linktree-img]][💖🌳linktree] [![More About Me][💖💁🏼‍♂️aboutme-img]][💖💁🏼‍♂️aboutme] [🧊][💖🧊berg] [🐙][💖🐙hub] [🛖][💖🛖hut] [🧪][💖🧪lab] | +| Tokens to Remember | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace] | +|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Works with JRuby | ![JRuby 9.1 Compat][💎jruby-9.1i] ![JRuby 9.2 Compat][💎jruby-9.2i] ![JRuby 9.3 Compat][💎jruby-9.3i]
    [![JRuby 9.4 Compat][💎jruby-9.4i]][🚎10-j-wf] [![JRuby 10.0 Compat][💎jruby-c-i]][🚎11-c-wf] [![JRuby HEAD Compat][💎jruby-headi]][🚎3-hd-wf] | +| Works with Truffle Ruby | ![Truffle Ruby 22.3 Compat][💎truby-22.3i] ![Truffle Ruby 23.0 Compat][💎truby-23.0i]
    [![Truffle Ruby 23.1 Compat][💎truby-23.1i]][🚎9-t-wf] [![Truffle Ruby 24.1 Compat][💎truby-c-i]][🚎11-c-wf] | +| Works with MRI Ruby 3 | [![Ruby 3.0 Compat][💎ruby-3.0i]][🚎4-lg-wf] [![Ruby 3.1 Compat][💎ruby-3.1i]][🚎6-s-wf] [![Ruby 3.2 Compat][💎ruby-3.2i]][🚎6-s-wf] [![Ruby 3.3 Compat][💎ruby-3.3i]][🚎6-s-wf] [![Ruby 3.4 Compat][💎ruby-c-i]][🚎11-c-wf] [![Ruby HEAD Compat][💎ruby-headi]][🚎3-hd-wf] | +| Works with MRI Ruby 2 | ![Ruby 2.2 Compat][💎ruby-2.2i]
    [![Ruby 2.3 Compat][💎ruby-2.3i]][🚎1-an-wf] [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎1-an-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎1-an-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎7-us-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎7-us-wf] | +| Support & Community | [![Join Me on Daily.dev's RubyFriends][✉️ruby-friends-img]][✉️ruby-friends] [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] [![Get help from me on Upwork][👨🏼‍🏫expsup-upwork-img]][👨🏼‍🏫expsup-upwork] [![Get help from me on Codementor][👨🏼‍🏫expsup-codementor-img]][👨🏼‍🏫expsup-codementor] | +| Source | [![Source on GitLab.com][📜src-gl-img]][📜src-gl] [![Source on CodeBerg.org][📜src-cb-img]][📜src-cb] [![Source on Github.com][📜src-gh-img]][📜src-gh] [![The best SHA: dQw4w9WgXcQ!][🧮kloc-img]][🧮kloc] | +| Documentation | [![Current release on RubyDoc.info][📜docs-cr-rd-img]][🚎yard-current] [![YARD on Galtzo.com][📜docs-head-rd-img]][🚎yard-head] [![Maintainer Blog][🚂maint-blog-img]][🚂maint-blog] [![GitLab Wiki][📜gl-wiki-img]][📜gl-wiki] [![GitHub Wiki][📜gh-wiki-img]][📜gh-wiki] | +| Compliance | [![License: MIT][📄license-img]][📄license-ref] [![Compatible with Apache Software Projects: Verified by SkyWalking Eyes][📄license-compat-img]][📄license-compat] [![📄ilo-declaration-img]][📄ilo-declaration] [![Incident Response Plan][🔐irp-img]][🔐irp] [![Security Policy][🔐security-img]][🔐security] [![Contributor Covenant 2.1][🪇conduct-img]][🪇conduct] [![SemVer 2.0.0][📌semver-img]][📌semver] | +| Style | [![Enforced Code Style Linter][💎rlts-img]][💎rlts] [![Keep-A-Changelog 1.0.0][📗keep-changelog-img]][📗keep-changelog] [![Gitmoji Commits][📌gitmoji-img]][📌gitmoji] [![Compatibility appraised by: appraisal2][💎appraisal2-img]][💎appraisal2] | +| Maintainer 🎖️ | [![Follow Me on LinkedIn][💖🖇linkedin-img]][💖🖇linkedin] [![Follow Me on Ruby.Social][💖🐘ruby-mast-img]][💖🐘ruby-mast] [![Follow Me on Bluesky][💖🦋bluesky-img]][💖🦋bluesky] [![Contact Maintainer][🚂maint-contact-img]][🚂maint-contact] [![My technical writing][💖💁🏼‍♂️devto-img]][💖💁🏼‍♂️devto] | +| `...` 💖 | [![Find Me on WellFound:][💖✌️wellfound-img]][💖✌️wellfound] [![Find Me on CrunchBase][💖💲crunchbase-img]][💖💲crunchbase] [![My LinkTree][💖🌳linktree-img]][💖🌳linktree] [![More About Me][💖💁🏼‍♂️aboutme-img]][💖💁🏼‍♂️aboutme] [🧊][💖🧊berg] [🐙][💖🐙hub] [🛖][💖🛖hut] [🧪][💖🧪lab] | ### Compatibility @@ -563,7 +563,7 @@

    Quick Examples

    | 3️⃣ | older | N/A | Best of luck to you! | Please upgrade! | | NOTE: The 1.4 series will only receive critical security updates. -See [SECURITY.md][🔐security]. +See [SECURITY.md][🔐security] and [IRP.md][🔐irp]. ## ⚙️ Configuration @@ -1377,7 +1377,7 @@

    Quick Examples

    To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security). Tidelift will coordinate the fix and disclosure. -For more see [SECURITY.md][🔐security]. +For more see [SECURITY.md][🔐security] and [IRP.md][🔐irp]. ## 🤝 Contributing @@ -1700,6 +1700,8 @@

    Quick Examples

    [🧮kloc-img]: https://img.shields.io/badge/KLOC-0.526-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue [🔐security]: SECURITY.md [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat +[🔐irp]: IRP.md +[🔐irp-img]: https://img.shields.io/badge/irp-259D6C.svg?style=flat [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year [📄license]: LICENSE.txt [📄license-ref]: https://opensource.org/licenses/MIT @@ -1731,7 +1733,7 @@

    Quick Examples

    diff --git a/docs/file.REEK.html b/docs/file.REEK.html index 2154e6d9..9fc5bb19 100644 --- a/docs/file.REEK.html +++ b/docs/file.REEK.html @@ -61,7 +61,7 @@ diff --git a/docs/file.RUBOCOP.html b/docs/file.RUBOCOP.html index d9a98307..b3ea38b7 100644 --- a/docs/file.RUBOCOP.html +++ b/docs/file.RUBOCOP.html @@ -161,7 +161,7 @@

    Benefits of rubocop_gradual

    diff --git a/docs/file.SECURITY.html b/docs/file.SECURITY.html index 3dc2a451..8763dd03 100644 --- a/docs/file.SECURITY.html +++ b/docs/file.SECURITY.html @@ -82,6 +82,8 @@

    Security contact information

    Tidelift security contact.
    Tidelift will coordinate the fix and disclosure.

    +

    More detailed explanation of the process is in IRP.md

    +

    Additional Support

    If you are interested in support for versions older than the latest release,
    @@ -91,7 +93,7 @@

    Additional Support

    diff --git a/docs/file.access_token.html b/docs/file.access_token.html index 60d566fa..5b4ea704 100644 --- a/docs/file.access_token.html +++ b/docs/file.access_token.html @@ -84,7 +84,7 @@ diff --git a/docs/file.authenticator.html b/docs/file.authenticator.html index eb82d98a..36909ab7 100644 --- a/docs/file.authenticator.html +++ b/docs/file.authenticator.html @@ -81,7 +81,7 @@ diff --git a/docs/file.client.html b/docs/file.client.html index dc64b2e4..05e0a9ec 100644 --- a/docs/file.client.html +++ b/docs/file.client.html @@ -111,7 +111,7 @@ diff --git a/docs/file.error.html b/docs/file.error.html index 4d74abe8..2d42cc43 100644 --- a/docs/file.error.html +++ b/docs/file.error.html @@ -68,7 +68,7 @@ diff --git a/docs/file.filtered_attributes.html b/docs/file.filtered_attributes.html index 15431504..c9d17c11 100644 --- a/docs/file.filtered_attributes.html +++ b/docs/file.filtered_attributes.html @@ -66,7 +66,7 @@ diff --git a/docs/file.oauth2-2.0.10.gem.html b/docs/file.oauth2-2.0.10.gem.html index 2d89274c..c7402d40 100644 --- a/docs/file.oauth2-2.0.10.gem.html +++ b/docs/file.oauth2-2.0.10.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.11.gem.html b/docs/file.oauth2-2.0.11.gem.html index a9451206..4d374ab8 100644 --- a/docs/file.oauth2-2.0.11.gem.html +++ b/docs/file.oauth2-2.0.11.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.12.gem.html b/docs/file.oauth2-2.0.12.gem.html index f829c1dc..ba1fdecd 100644 --- a/docs/file.oauth2-2.0.12.gem.html +++ b/docs/file.oauth2-2.0.12.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.13.gem.html b/docs/file.oauth2-2.0.13.gem.html index 66d373e8..122a6b38 100644 --- a/docs/file.oauth2-2.0.13.gem.html +++ b/docs/file.oauth2-2.0.13.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.14.gem.html b/docs/file.oauth2-2.0.14.gem.html index 9753b58c..5c6374e8 100644 --- a/docs/file.oauth2-2.0.14.gem.html +++ b/docs/file.oauth2-2.0.14.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.15.gem.html b/docs/file.oauth2-2.0.15.gem.html index f3875132..c36a51d9 100644 --- a/docs/file.oauth2-2.0.15.gem.html +++ b/docs/file.oauth2-2.0.15.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.16.gem.html b/docs/file.oauth2-2.0.16.gem.html index 84c906f4..51482042 100644 --- a/docs/file.oauth2-2.0.16.gem.html +++ b/docs/file.oauth2-2.0.16.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2-2.0.17.gem.html b/docs/file.oauth2-2.0.17.gem.html index f89e982f..14f91e33 100644 --- a/docs/file.oauth2-2.0.17.gem.html +++ b/docs/file.oauth2-2.0.17.gem.html @@ -61,7 +61,7 @@ diff --git a/docs/file.oauth2.html b/docs/file.oauth2.html index 09663bc0..f18ae0ac 100644 --- a/docs/file.oauth2.html +++ b/docs/file.oauth2.html @@ -69,7 +69,7 @@ diff --git a/docs/file.response.html b/docs/file.response.html index 7fe5d264..ead0732d 100644 --- a/docs/file.response.html +++ b/docs/file.response.html @@ -77,7 +77,7 @@ diff --git a/docs/file.strategy.html b/docs/file.strategy.html index 6f732697..13d2a1bc 100644 --- a/docs/file.strategy.html +++ b/docs/file.strategy.html @@ -93,7 +93,7 @@ diff --git a/docs/file.version.html b/docs/file.version.html index 084c30a1..3f1b157d 100644 --- a/docs/file.version.html +++ b/docs/file.version.html @@ -65,7 +65,7 @@ diff --git a/docs/file_list.html b/docs/file_list.html index e0fe7d43..bbcfd557 100644 --- a/docs/file_list.html +++ b/docs/file_list.html @@ -72,157 +72,162 @@

    File List

    -
  • +
  • +
    IRP
    +
    • + + +
  • OIDC
    • -
  • +
  • RUBOCOP
    • -
  • +
  • SECURITY
    • -
  • +
  • LICENSE
    • -
  • +
  • CITATION
    • -
  • +
  • oauth2-2.0.10.gem
    • -
  • +
  • oauth2-2.0.11.gem
    • -
  • +
  • oauth2-2.0.12.gem
    • -
  • +
  • oauth2-2.0.13.gem
    • -
  • +
  • oauth2-2.0.14.gem
    • -
  • +
  • oauth2-2.0.15.gem
    • -
  • +
  • oauth2-2.0.16.gem
    • -
  • +
  • oauth2-2.0.17.gem
    • -
  • +
  • oauth2-2.0.10.gem
    • -
  • +
  • oauth2-2.0.11.gem
    • -
  • +
  • oauth2-2.0.12.gem
    • -
  • +
  • oauth2-2.0.13.gem
    • -
  • +
  • oauth2-2.0.14.gem
    • -
  • +
  • oauth2-2.0.15.gem
    • -
  • +
  • oauth2-2.0.16.gem
    • -
  • +
  • oauth2-2.0.17.gem
    • -
  • +
  • REEK
    • -
  • +
  • access_token
    • -
  • +
  • authenticator
    • -
  • +
  • client
    • -
  • +
  • error
    • -
  • +
  • filtered_attributes
    • -
  • +
  • response
    • -
  • +
  • strategy
    • -
  • +
  • version
    • -
  • +
  • oauth2
    • diff --git a/docs/index.html b/docs/index.html index 8665487f..d57a8f07 100644 --- a/docs/index.html +++ b/docs/index.html @@ -181,19 +181,19 @@

    Quick Examples

    ## 💡 Info you can shake a stick at -| Tokens to Remember | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace] | -|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Works with JRuby | ![JRuby 9.1 Compat][💎jruby-9.1i] ![JRuby 9.2 Compat][💎jruby-9.2i] ![JRuby 9.3 Compat][💎jruby-9.3i]
    [![JRuby 9.4 Compat][💎jruby-9.4i]][🚎10-j-wf] [![JRuby 10.0 Compat][💎jruby-c-i]][🚎11-c-wf] [![JRuby HEAD Compat][💎jruby-headi]][🚎3-hd-wf] | -| Works with Truffle Ruby | ![Truffle Ruby 22.3 Compat][💎truby-22.3i] ![Truffle Ruby 23.0 Compat][💎truby-23.0i]
    [![Truffle Ruby 23.1 Compat][💎truby-23.1i]][🚎9-t-wf] [![Truffle Ruby 24.1 Compat][💎truby-c-i]][🚎11-c-wf] | -| Works with MRI Ruby 3 | [![Ruby 3.0 Compat][💎ruby-3.0i]][🚎4-lg-wf] [![Ruby 3.1 Compat][💎ruby-3.1i]][🚎6-s-wf] [![Ruby 3.2 Compat][💎ruby-3.2i]][🚎6-s-wf] [![Ruby 3.3 Compat][💎ruby-3.3i]][🚎6-s-wf] [![Ruby 3.4 Compat][💎ruby-c-i]][🚎11-c-wf] [![Ruby HEAD Compat][💎ruby-headi]][🚎3-hd-wf] | -| Works with MRI Ruby 2 | ![Ruby 2.2 Compat][💎ruby-2.2i]
    [![Ruby 2.3 Compat][💎ruby-2.3i]][🚎1-an-wf] [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎1-an-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎1-an-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎7-us-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎7-us-wf] | -| Support & Community | [![Join Me on Daily.dev's RubyFriends][✉️ruby-friends-img]][✉️ruby-friends] [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] [![Get help from me on Upwork][👨🏼‍🏫expsup-upwork-img]][👨🏼‍🏫expsup-upwork] [![Get help from me on Codementor][👨🏼‍🏫expsup-codementor-img]][👨🏼‍🏫expsup-codementor] | -| Source | [![Source on GitLab.com][📜src-gl-img]][📜src-gl] [![Source on CodeBerg.org][📜src-cb-img]][📜src-cb] [![Source on Github.com][📜src-gh-img]][📜src-gh] [![The best SHA: dQw4w9WgXcQ!][🧮kloc-img]][🧮kloc] | -| Documentation | [![Current release on RubyDoc.info][📜docs-cr-rd-img]][🚎yard-current] [![YARD on Galtzo.com][📜docs-head-rd-img]][🚎yard-head] [![Maintainer Blog][🚂maint-blog-img]][🚂maint-blog] [![GitLab Wiki][📜gl-wiki-img]][📜gl-wiki] [![GitHub Wiki][📜gh-wiki-img]][📜gh-wiki] | -| Compliance | [![License: MIT][📄license-img]][📄license-ref] [![Compatible with Apache Software Projects: Verified by SkyWalking Eyes][📄license-compat-img]][📄license-compat] [![📄ilo-declaration-img]][📄ilo-declaration] [![Security Policy][🔐security-img]][🔐security] [![Contributor Covenant 2.1][🪇conduct-img]][🪇conduct] [![SemVer 2.0.0][📌semver-img]][📌semver] | -| Style | [![Enforced Code Style Linter][💎rlts-img]][💎rlts] [![Keep-A-Changelog 1.0.0][📗keep-changelog-img]][📗keep-changelog] [![Gitmoji Commits][📌gitmoji-img]][📌gitmoji] [![Compatibility appraised by: appraisal2][💎appraisal2-img]][💎appraisal2] | -| Maintainer 🎖️ | [![Follow Me on LinkedIn][💖🖇linkedin-img]][💖🖇linkedin] [![Follow Me on Ruby.Social][💖🐘ruby-mast-img]][💖🐘ruby-mast] [![Follow Me on Bluesky][💖🦋bluesky-img]][💖🦋bluesky] [![Contact Maintainer][🚂maint-contact-img]][🚂maint-contact] [![My technical writing][💖💁🏼‍♂️devto-img]][💖💁🏼‍♂️devto] | -| `...` 💖 | [![Find Me on WellFound:][💖✌️wellfound-img]][💖✌️wellfound] [![Find Me on CrunchBase][💖💲crunchbase-img]][💖💲crunchbase] [![My LinkTree][💖🌳linktree-img]][💖🌳linktree] [![More About Me][💖💁🏼‍♂️aboutme-img]][💖💁🏼‍♂️aboutme] [🧊][💖🧊berg] [🐙][💖🐙hub] [🛖][💖🛖hut] [🧪][💖🧪lab] | +| Tokens to Remember | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace] | +|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Works with JRuby | ![JRuby 9.1 Compat][💎jruby-9.1i] ![JRuby 9.2 Compat][💎jruby-9.2i] ![JRuby 9.3 Compat][💎jruby-9.3i]
    [![JRuby 9.4 Compat][💎jruby-9.4i]][🚎10-j-wf] [![JRuby 10.0 Compat][💎jruby-c-i]][🚎11-c-wf] [![JRuby HEAD Compat][💎jruby-headi]][🚎3-hd-wf] | +| Works with Truffle Ruby | ![Truffle Ruby 22.3 Compat][💎truby-22.3i] ![Truffle Ruby 23.0 Compat][💎truby-23.0i]
    [![Truffle Ruby 23.1 Compat][💎truby-23.1i]][🚎9-t-wf] [![Truffle Ruby 24.1 Compat][💎truby-c-i]][🚎11-c-wf] | +| Works with MRI Ruby 3 | [![Ruby 3.0 Compat][💎ruby-3.0i]][🚎4-lg-wf] [![Ruby 3.1 Compat][💎ruby-3.1i]][🚎6-s-wf] [![Ruby 3.2 Compat][💎ruby-3.2i]][🚎6-s-wf] [![Ruby 3.3 Compat][💎ruby-3.3i]][🚎6-s-wf] [![Ruby 3.4 Compat][💎ruby-c-i]][🚎11-c-wf] [![Ruby HEAD Compat][💎ruby-headi]][🚎3-hd-wf] | +| Works with MRI Ruby 2 | ![Ruby 2.2 Compat][💎ruby-2.2i]
    [![Ruby 2.3 Compat][💎ruby-2.3i]][🚎1-an-wf] [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎1-an-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎1-an-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎7-us-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎7-us-wf] | +| Support & Community | [![Join Me on Daily.dev's RubyFriends][✉️ruby-friends-img]][✉️ruby-friends] [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] [![Get help from me on Upwork][👨🏼‍🏫expsup-upwork-img]][👨🏼‍🏫expsup-upwork] [![Get help from me on Codementor][👨🏼‍🏫expsup-codementor-img]][👨🏼‍🏫expsup-codementor] | +| Source | [![Source on GitLab.com][📜src-gl-img]][📜src-gl] [![Source on CodeBerg.org][📜src-cb-img]][📜src-cb] [![Source on Github.com][📜src-gh-img]][📜src-gh] [![The best SHA: dQw4w9WgXcQ!][🧮kloc-img]][🧮kloc] | +| Documentation | [![Current release on RubyDoc.info][📜docs-cr-rd-img]][🚎yard-current] [![YARD on Galtzo.com][📜docs-head-rd-img]][🚎yard-head] [![Maintainer Blog][🚂maint-blog-img]][🚂maint-blog] [![GitLab Wiki][📜gl-wiki-img]][📜gl-wiki] [![GitHub Wiki][📜gh-wiki-img]][📜gh-wiki] | +| Compliance | [![License: MIT][📄license-img]][📄license-ref] [![Compatible with Apache Software Projects: Verified by SkyWalking Eyes][📄license-compat-img]][📄license-compat] [![📄ilo-declaration-img]][📄ilo-declaration] [![Incident Response Plan][🔐irp-img]][🔐irp] [![Security Policy][🔐security-img]][🔐security] [![Contributor Covenant 2.1][🪇conduct-img]][🪇conduct] [![SemVer 2.0.0][📌semver-img]][📌semver] | +| Style | [![Enforced Code Style Linter][💎rlts-img]][💎rlts] [![Keep-A-Changelog 1.0.0][📗keep-changelog-img]][📗keep-changelog] [![Gitmoji Commits][📌gitmoji-img]][📌gitmoji] [![Compatibility appraised by: appraisal2][💎appraisal2-img]][💎appraisal2] | +| Maintainer 🎖️ | [![Follow Me on LinkedIn][💖🖇linkedin-img]][💖🖇linkedin] [![Follow Me on Ruby.Social][💖🐘ruby-mast-img]][💖🐘ruby-mast] [![Follow Me on Bluesky][💖🦋bluesky-img]][💖🦋bluesky] [![Contact Maintainer][🚂maint-contact-img]][🚂maint-contact] [![My technical writing][💖💁🏼‍♂️devto-img]][💖💁🏼‍♂️devto] | +| `...` 💖 | [![Find Me on WellFound:][💖✌️wellfound-img]][💖✌️wellfound] [![Find Me on CrunchBase][💖💲crunchbase-img]][💖💲crunchbase] [![My LinkTree][💖🌳linktree-img]][💖🌳linktree] [![More About Me][💖💁🏼‍♂️aboutme-img]][💖💁🏼‍♂️aboutme] [🧊][💖🧊berg] [🐙][💖🐙hub] [🛖][💖🛖hut] [🧪][💖🧪lab] | ### Compatibility @@ -563,7 +563,7 @@

    Quick Examples

    | 3️⃣ | older | N/A | Best of luck to you! | Please upgrade! | | NOTE: The 1.4 series will only receive critical security updates. -See [SECURITY.md][🔐security]. +See [SECURITY.md][🔐security] and [IRP.md][🔐irp]. ## ⚙️ Configuration @@ -1377,7 +1377,7 @@

    Quick Examples

    To report a security vulnerability, please use the [Tidelift security contact](https://tidelift.com/security). Tidelift will coordinate the fix and disclosure. -For more see [SECURITY.md][🔐security]. +For more see [SECURITY.md][🔐security] and [IRP.md][🔐irp]. ## 🤝 Contributing @@ -1700,6 +1700,8 @@

    Quick Examples

    [🧮kloc-img]: https://img.shields.io/badge/KLOC-0.526-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue [🔐security]: SECURITY.md [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat +[🔐irp]: IRP.md +[🔐irp-img]: https://img.shields.io/badge/irp-259D6C.svg?style=flat [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year [📄license]: LICENSE.txt [📄license-ref]: https://opensource.org/licenses/MIT @@ -1731,7 +1733,7 @@

    Quick Examples

    diff --git a/docs/top-level-namespace.html b/docs/top-level-namespace.html index f93410b3..a62d59a0 100644 --- a/docs/top-level-namespace.html +++ b/docs/top-level-namespace.html @@ -100,7 +100,7 @@

    Defined Under Namespace

    diff --git a/oauth2.gemspec b/oauth2.gemspec index bc9705b0..0556ea5c 100644 --- a/oauth2.gemspec +++ b/oauth2.gemspec @@ -103,6 +103,7 @@ Thanks, @pboling / @galtzo "CONTRIBUTING.md", "FUNDING.md", "LICENSE.txt", + "IRP.md", "OIDC.md", "README.md", "REEK", From 92800a324206125aa6f4524e87e5b298b0a6d7f4 Mon Sep 17 00:00:00 2001 From: "Peter H. Boling" Date: Thu, 25 Sep 2025 08:49:18 -0600 Subject: [PATCH 03/13] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20kettle-dev=20v1.3.31?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 9c101af7..5f2a158a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -103,7 +103,7 @@ GEM json (2.13.2) jwt (3.1.2) base64 - kettle-dev (1.1.26) + kettle-dev (1.1.31) kettle-soup-cover (1.0.10) simplecov (~> 0.22) simplecov-cobertura (~> 3.0) From 0df318fd956575ca4248e2868c016d6c2f3d2770 Mon Sep 17 00:00:00 2001 From: "|7eter l-|. l3oling" Date: Thu, 25 Sep 2025 22:00:16 +0700 Subject: [PATCH 04/13] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: |7eter l-|. l3oling --- IRP.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/IRP.md b/IRP.md index e80ae39a..d237f633 100644 --- a/IRP.md +++ b/IRP.md @@ -2,30 +2,29 @@ Status: Draft -Purpose -------- +## Purpose + This Incident Response Plan (IRP) defines the steps the project maintainer(s) will follow when handling security incidents related to the `oauth2` gem. It is written for a small project with a single primary maintainer and is intended to be practical, concise, and actionable. -Scope ------ +## Scope + Applies to security incidents that affect the `oauth2` codebase, releases (gems), CI/CD infrastructure related to building and publishing the gem, repository credentials, or any compromise of project infrastructure that could impact users. -Key assumptions +## Key assumptions - This project is maintained primarily by a single maintainer. - Public vulnerability disclosure is handled via Tidelift (see `SECURITY.md`). - The maintainer will act as incident commander unless otherwise delegated. -Contact & Roles ---------------- +## Contact & Roles + - Incident Commander: Primary maintainer (repo owner). Responsible for coordinating triage, remediation, and communications. - Secondary Contact: (optional) A trusted collaborator or organization contact if available. -If you are an external reporter +### If you are an external reporter - Do not publicly disclose details of an active vulnerability before coordination via Tidelift. - See `SECURITY.md` for Tidelift disclosure instructions. If the reporter has questions and cannot use Tidelift, they may open a direct encrypted report as described in `SECURITY.md` (if available) or email the maintainer contact listed in the repository. -Incident Handling Workflow (high level) ---------------------------------------- +## Incident Handling Workflow (high level) 1. Identification & Reporting - Reports may arrive via Tidelift, issue tracker, direct email, or third-party advisories. - Immediately acknowledge receipt (within 24-72 hours) via the reporting channel. From 52aaa9614ba90efa5235d603ae035ecae9e3df54 Mon Sep 17 00:00:00 2001 From: "|7eter l-|. l3oling" Date: Thu, 25 Sep 2025 22:01:57 +0700 Subject: [PATCH 05/13] Update IRP.md Signed-off-by: |7eter l-|. l3oling --- IRP.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/IRP.md b/IRP.md index d237f633..5e93b5cd 100644 --- a/IRP.md +++ b/IRP.md @@ -64,8 +64,7 @@ Preservation of evidence - Preserve all reporter-provided data, logs, and reproducer code in a secure location (local encrypted storage or private branch) for the investigation. - Do not publish evidence that would enable exploitation before coordinated disclosure. -Communication templates ------------------------ +## Communication templates Acknowledgement (to reporter) "Thank you for reporting this issue. I've received your report and will triage it within 72 hours. If you can, please provide reproduction steps, affected versions, and any exploit PoC. I will coordinate disclosure through Tidelift per the project's security policy." From ed1bffe62b1349731c2a574d7b6b15431d6e091d Mon Sep 17 00:00:00 2001 From: "|7eter l-|. l3oling" Date: Thu, 25 Sep 2025 22:02:04 +0700 Subject: [PATCH 06/13] Update IRP.md Signed-off-by: |7eter l-|. l3oling --- IRP.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/IRP.md b/IRP.md index 5e93b5cd..e1820840 100644 --- a/IRP.md +++ b/IRP.md @@ -59,8 +59,7 @@ Severity classification (guidance) - Medium: Privilege escalation, sensitive information leaks that require specific conditions. Patch in the next release cycle with advisory. - Low: Minor information leaks, UI issues, or non-exploitable bugs. Fix normally and include in the next scheduled release. -Preservation of evidence ------------------------- +## Preservation of evidence - Preserve all reporter-provided data, logs, and reproducer code in a secure location (local encrypted storage or private branch) for the investigation. - Do not publish evidence that would enable exploitation before coordinated disclosure. From e465f1d3d5322f76e61f39006a187d8975e8346f Mon Sep 17 00:00:00 2001 From: "|7eter l-|. l3oling" Date: Thu, 25 Sep 2025 23:02:01 +0700 Subject: [PATCH 07/13] Update IRP.md Signed-off-by: |7eter l-|. l3oling --- IRP.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/IRP.md b/IRP.md index e1820840..3519fbfb 100644 --- a/IRP.md +++ b/IRP.md @@ -100,8 +100,7 @@ After an incident, perform a brief post-incident review covering: - What tests or process changes will prevent recurrence - Assign owners and deadlines for follow-up tasks -References ----------- +## References - See `SECURITY.md` for the project's official disclosure channel (Tidelift). Appendix: Example checklist for an incident From 04b4439c0ecc28a3291e6997b5b6c755560a3ce1 Mon Sep 17 00:00:00 2001 From: "|7eter l-|. l3oling" Date: Thu, 25 Sep 2025 23:02:10 +0700 Subject: [PATCH 08/13] Update IRP.md Signed-off-by: |7eter l-|. l3oling --- IRP.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/IRP.md b/IRP.md index 3519fbfb..7c0a87fa 100644 --- a/IRP.md +++ b/IRP.md @@ -92,8 +92,7 @@ Legal & regulatory ------------------ - If the incident involves user data or has legal implications, consult legal counsel or the maintainers' employer as appropriate. The maintainer should document the timeline and all communications. -Retrospective & continuous improvement -------------------------------------- +## Retrospective & continuous improvement After an incident, perform a brief post-incident review covering: - What happened and why - What was done to contain and remediate From 0da32d4210b7d5208dfcf4137ee819751c0c2108 Mon Sep 17 00:00:00 2001 From: "|7eter l-|. l3oling" Date: Thu, 25 Sep 2025 23:02:18 +0700 Subject: [PATCH 09/13] Update IRP.md Signed-off-by: |7eter l-|. l3oling --- IRP.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/IRP.md b/IRP.md index 7c0a87fa..f597071f 100644 --- a/IRP.md +++ b/IRP.md @@ -88,8 +88,7 @@ Operational notes - Secrets: Use local encrypted storage for any sensitive reporter data. If repository or CI secrets may be compromised, rotate them immediately and update dependent services. - Access control: Limit who can publish gems and who has admin access to the repo. Keep an up-to-date list of collaborators in a secure place. -Legal & regulatory ------------------- +## Legal & regulatory - If the incident involves user data or has legal implications, consult legal counsel or the maintainers' employer as appropriate. The maintainer should document the timeline and all communications. ## Retrospective & continuous improvement From 4d9d936011442b58a2a4e34d315edc8b190d61ec Mon Sep 17 00:00:00 2001 From: "|7eter l-|. l3oling" Date: Thu, 25 Sep 2025 23:02:33 +0700 Subject: [PATCH 10/13] Update IRP.md Signed-off-by: |7eter l-|. l3oling --- IRP.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/IRP.md b/IRP.md index f597071f..246e2ec1 100644 --- a/IRP.md +++ b/IRP.md @@ -83,8 +83,7 @@ Runbook: Quick steps for a maintainer to patch and release 7. Build and push the gem: `gem build oauth2.gemspec && gem push pkg/...` (coordinate with Tidelift before public push if disclosure is coordinated). 8. Publish a release on GitHub and ensure the Tidelift advisory is posted. -Operational notes ------------------ +## Operational notes - Secrets: Use local encrypted storage for any sensitive reporter data. If repository or CI secrets may be compromised, rotate them immediately and update dependent services. - Access control: Limit who can publish gems and who has admin access to the repo. Keep an up-to-date list of collaborators in a secure place. From 15876e184d7f6e708106745803af6891637183b9 Mon Sep 17 00:00:00 2001 From: "|7eter l-|. l3oling" Date: Thu, 25 Sep 2025 23:02:42 +0700 Subject: [PATCH 11/13] Update IRP.md Signed-off-by: |7eter l-|. l3oling --- IRP.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/IRP.md b/IRP.md index 246e2ec1..312a5c24 100644 --- a/IRP.md +++ b/IRP.md @@ -72,8 +72,7 @@ Public advisory (after patch is ready) "A security advisory for oauth2 (versions X.Y.Z) has been published via Tidelift. Please upgrade to version A.B.C which patches [brief description]. See the advisory for details and recommended mitigations." -Runbook: Quick steps for a maintainer to patch and release ---------------------------------------------------------- +## Runbook: Quick steps for a maintainer to patch and release 1. Create a branch: `git checkout -b fix/security-brief-description` 2. Reproduce the issue locally and add a regression spec in `spec/`. 3. Implement the fix and run the test suite: `bundle exec rspec` (or the project's preferred test command). From d23f0e87faca6a073e75c7215c8fed437f80d1e8 Mon Sep 17 00:00:00 2001 From: "|7eter l-|. l3oling" Date: Thu, 25 Sep 2025 23:02:50 +0700 Subject: [PATCH 12/13] Update IRP.md Signed-off-by: |7eter l-|. l3oling --- IRP.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/IRP.md b/IRP.md index 312a5c24..3f9ae3ce 100644 --- a/IRP.md +++ b/IRP.md @@ -53,8 +53,7 @@ Applies to security incidents that affect the `oauth2` codebase, releases (gems) - Add/adjust tests and CI checks to prevent regressions. - If credentials or infrastructure were compromised, rotate secrets and audit access. -Severity classification (guidance) ---------------------------------- +## Severity classification (guidance) - High/Critical: Remote code execution, data exfiltration, or any vulnerability that can be exploited without user interaction. Immediate action and prioritized patching. - Medium: Privilege escalation, sensitive information leaks that require specific conditions. Patch in the next release cycle with advisory. - Low: Minor information leaks, UI issues, or non-exploitable bugs. Fix normally and include in the next scheduled release. From f262d5aa8d2ade0d95f42f913c65dfa9067a1797 Mon Sep 17 00:00:00 2001 From: "|7eter l-|. l3oling" Date: Thu, 25 Sep 2025 23:05:43 +0700 Subject: [PATCH 13/13] Update IRP.md Signed-off-by: |7eter l-|. l3oling --- IRP.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/IRP.md b/IRP.md index 3f9ae3ce..7bd10973 100644 --- a/IRP.md +++ b/IRP.md @@ -98,8 +98,7 @@ After an incident, perform a brief post-incident review covering: ## References - See `SECURITY.md` for the project's official disclosure channel (Tidelift). -Appendix: Example checklist for an incident ------------------------------------------- +## Appendix: Example checklist for an incident - [ ] Acknowledge report to reporter (24-72 hours) - [ ] Reproduce and classify severity - [ ] Prepare and test a fix in a branch