Change interface to support newer hoauth2

This adds support for `ghc-9.12` / `hoauth2-2.15` and drops support for `ghc < 9.4` / `hoauth2 < 2.8`. Since this would be a major version bump no matter what, I've changed the interface we present to align with `hoauth2-2.15`. This means using the newer `fetch` functions, and `TokenResponse{,Error}` type names. I've maintained our own `OAuth2` type so that the redirect-uri can remain a `Maybe` field. The way plugins are constructed, we need to build an `OAuth2` value in a pure context without one, which is then supplied later, when we have `MonadHandler` and so can render URLs.
2026-01-11 11:48:29 +01:00 · 2026-01-05 15:01:16 -05:00 · 2026-01-05 15:01:16 -05:00 · a8de561848
commit a8de561848
parent a179049522
52 changed files with 134 additions and 448 deletions
--- a/.stack-all
+++ b/.stack-all
@ -0,0 +1,2 @@
+[versions]
+oldest = lts-21
--- a/package.yaml
+++ b/package.yaml
@ -29,7 +29,7 @@ library:
    - bytestring >=0.9.1.4
    - crypton
    - errors
-    - hoauth2 >=1.11.0
+    - hoauth2 >=2.8.0 # TokenRequestError
    - http-client >=0.4.0
    - http-conduit >=2.0
    - http-types >=0.8
--- a/src/Network/OAuth/OAuth2/Compat.hs
+++ b/src/Network/OAuth/OAuth2/Compat.hs
@ -2,170 +2,117 @@

 module Network.OAuth.OAuth2.Compat
  ( OAuth2 (..)
-  , OAuth2Result
-  , Errors
  , authorizationUrl
-  , fetchAccessToken
-  , fetchAccessToken2
+  , fetchAccessTokenBasic
+  , fetchAccessTokenPost
  , authGetBS

    -- * Re-exports
-  , module Network.OAuth.OAuth2
+  , AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , TokenResponse
+  , accessToken
+  , refreshToken
+  , expiresIn
+  , tokenType
+  , idToken
+  , TokenResponseError
  ) where

+import Control.Monad.IO.Class (MonadIO)
+import Control.Monad.Trans.Except (runExceptT)
 import Data.ByteString.Lazy (ByteString)
 import Data.Text (Text)
 import Network.HTTP.Conduit (Manager)
+import URI.ByteString
+
+#if MIN_VERSION_hoauth2(2,15,0)
+import Network.OAuth2
+  ( AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , TokenResponse (..)
+  , TokenResponseError
+  )
+import qualified Network.OAuth2 as OAuth2
+
+#elif MIN_VERSION_hoauth2(2,9,0)
 import Network.OAuth.OAuth2
  ( AccessToken (..)
  , ExchangeToken (..)
-  , OAuth2Token (..)
  , RefreshToken (..)
+  , OAuth2Token (..)
+  , TokenResponseError
  )
 import qualified Network.OAuth.OAuth2 as OAuth2
-import URI.ByteString

-#if MIN_VERSION_hoauth2(2,2,0)
-import Control.Monad.Trans.Except (ExceptT, runExceptT)
-import Data.Maybe (fromMaybe)
-#endif
+type TokenResponse = OAuth2Token

-#if MIN_VERSION_hoauth2(2,9,0)
-import Network.OAuth.OAuth2.TokenRequest (TokenResponseError)
-type Errors = TokenResponseError
-#elif MIN_VERSION_hoauth2(2,7,0)
-import Network.OAuth.OAuth2.TokenRequest (TokenRequestError)
-type Errors = TokenRequestError
 #else
-import qualified Network.OAuth.OAuth2.TokenRequest as LegacyTokenRequest
-import Network.OAuth.OAuth2 (OAuth2Error)
-type Errors = OAuth2Error LegacyTokenRequest.Errors
-#endif
+-- hoauth2-2.8
+import Network.OAuth.OAuth2
+  ( AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , OAuth2Token (..)
+  )
+import Network.OAuth.OAuth2.TokenRequest (TokenRequestError)
+import qualified Network.OAuth.OAuth2 as OAuth2

-{-# ANN module ("HLint: ignore Use fewer imports" :: String) #-}
+type TokenResponse = OAuth2Token
+type TokenResponseError = TokenRequestError
+#endif

 data OAuth2 = OAuth2
  { oauth2ClientId :: Text
-  , oauth2ClientSecret :: Maybe Text
+  , oauth2ClientSecret :: Text
  , oauth2AuthorizeEndpoint :: URIRef Absolute
  , oauth2TokenEndpoint :: URIRef Absolute
  , oauth2RedirectUri :: Maybe (URIRef Absolute)
  }

-type OAuth2Result err a = Either err a
-
 authorizationUrl :: OAuth2 -> URI
 authorizationUrl = OAuth2.authorizationUrl . getOAuth2

-fetchAccessToken
-  :: Manager
-  -> OAuth2
-  -> ExchangeToken
-  -> IO (OAuth2Result Errors OAuth2Token)
-fetchAccessToken = fetchAccessTokenBasic
-
-fetchAccessToken2
-  :: Manager
-  -> OAuth2
-  -> ExchangeToken
-  -> IO (OAuth2Result Errors OAuth2Token)
-fetchAccessToken2 = fetchAccessTokenPost
-
-authGetBS :: Manager -> AccessToken -> URI -> IO (Either ByteString ByteString)
-authGetBS m a u = runOAuth2 $ OAuth2.authGetBS m a u
-
-- Normalize the rename of record fields at hoauth2-2.0. Our type is the newer
-- names and we up-convert if hoauth2-1.x is in use. getClientSecret and
-- getRedirectUri handle the differences in hoauth2-2.2 and 2.3.
-
-#if MIN_VERSION_hoauth2(2,0,0)
-getOAuth2 :: OAuth2 -> OAuth2.OAuth2
-getOAuth2 o = OAuth2.OAuth2
-    { OAuth2.oauth2ClientId = oauth2ClientId o
-    , OAuth2.oauth2ClientSecret = getClientSecret $ oauth2ClientSecret o
-    , OAuth2.oauth2AuthorizeEndpoint = oauth2AuthorizeEndpoint o
-    , OAuth2.oauth2TokenEndpoint = oauth2TokenEndpoint o
-    , OAuth2.oauth2RedirectUri = getRedirectUri $ oauth2RedirectUri o
-    }
-#else
-getOAuth2 :: OAuth2 -> OAuth2.OAuth2
-getOAuth2 o = OAuth2.OAuth2
-    { OAuth2.oauthClientId = oauth2ClientId o
-    , OAuth2.oauthClientSecret = getClientSecret $ oauth2ClientSecret o
-    , OAuth2.oauthOAuthorizeEndpoint = oauth2AuthorizeEndpoint o
-    , OAuth2.oauthAccessTokenEndpoint = oauth2TokenEndpoint o
-    , OAuth2.oauthCallback = getRedirectUri $ oauth2RedirectUri o
-    }
-#endif
-
-- hoauth2-2.2 made oauth2ClientSecret non-Maybe, after 2.0 had just made it
-- Maybe so we have to adjust, twice. TODO: change ours type to non-Maybe (major
-- bump) and reverse this to up-convert with Just in pre-2.2.
-
-#if MIN_VERSION_hoauth2(2,2,0)
-getClientSecret :: Maybe Text -> Text
-getClientSecret =
-    fromMaybe $ error "Cannot use OAuth2.oauth2ClientSecret with Nothing"
-#else
-getClientSecret :: Maybe Text -> Maybe Text
-getClientSecret = id
-#endif
-
-- hoauth2-2.3 then made oauth2RedirectUri non-Maybe too. We logically rely on
-- instantiating with Nothing at definition-time, then setting it to the
-- callback at use-time, which means we can't just change our type and invert
-- this shim; we'll have to do something much more pervasive to avoid this
-- fromMaybe.
-
-#if MIN_VERSION_hoauth2(2,3,0)
-getRedirectUri :: Maybe (URIRef Absolute) -> (URIRef Absolute)
-getRedirectUri =
-    fromMaybe $ error "Cannot use OAuth2.oauth2RedirectUri with Nothing"
-#else
-getRedirectUri :: Maybe (URIRef Absolute) -> Maybe (URIRef Absolute)
-getRedirectUri = id
-#endif
-
-- hoauth-2.2 moved most IO-Either functions to ExceptT. This reverses that.
-
-#if MIN_VERSION_hoauth2(2,2,0)
-runOAuth2 :: ExceptT e m a -> m (Either e a)
-runOAuth2 = runExceptT
-#else
-runOAuth2 :: IO (Either e a) -> IO (Either e a)
-runOAuth2 = id
-#endif
-
-- The fetchAccessToken functions grew a nicer interface in hoauth2-2.3. This
-- up-converts the older ones. We should update our code to use these functions
-- directly.
-
 fetchAccessTokenBasic
  :: Manager
  -> OAuth2
  -> ExchangeToken
-  -> IO (OAuth2Result Errors OAuth2Token)
-fetchAccessTokenBasic m o e = runOAuth2 $ f m (getOAuth2 o) e
- where
-#if MIN_VERSION_hoauth2(2,6,0)
-    f = OAuth2.fetchAccessTokenWithAuthMethod OAuth2.ClientSecretBasic
-#elif MIN_VERSION_hoauth2(2,3,0)
-    f = OAuth2.fetchAccessTokenInternal OAuth2.ClientSecretBasic
-#else
-    f = OAuth2.fetchAccessToken
-#endif
+  -> IO (Either TokenResponseError TokenResponse)
+fetchAccessTokenBasic =
+  runFetchAccessToken OAuth2.ClientSecretBasic

 fetchAccessTokenPost
  :: Manager
  -> OAuth2
  -> ExchangeToken
-  -> IO (OAuth2Result Errors OAuth2Token)
-fetchAccessTokenPost m o e = runOAuth2 $ f m (getOAuth2 o) e
- where
-#if MIN_VERSION_hoauth2(2, 6, 0)
-    f = OAuth2.fetchAccessTokenWithAuthMethod OAuth2.ClientSecretPost
-#elif MIN_VERSION_hoauth2(2,3,0)
-    f = OAuth2.fetchAccessTokenInternal OAuth2.ClientSecretPost
-#else
-    f = OAuth2.fetchAccessToken2
-#endif
+  -> IO (Either TokenResponseError TokenResponse)
+fetchAccessTokenPost =
+  runFetchAccessToken OAuth2.ClientSecretPost
+
+authGetBS :: Manager -> AccessToken -> URI -> IO (Either ByteString ByteString)
+authGetBS m a u = runExceptT $ OAuth2.authGetBS m a u
+
+getOAuth2 :: OAuth2 -> OAuth2.OAuth2
+getOAuth2 o =
+  OAuth2.OAuth2
+    { OAuth2.oauth2ClientId = oauth2ClientId o
+    , OAuth2.oauth2ClientSecret = oauth2ClientSecret o
+    , OAuth2.oauth2AuthorizeEndpoint = oauth2AuthorizeEndpoint o
+    , OAuth2.oauth2TokenEndpoint = oauth2TokenEndpoint o
+    , OAuth2.oauth2RedirectUri = case oauth2RedirectUri o of
+        Nothing ->
+          error
+            "programmer error: yesod-auth-oauth2:OAuth2 must have a Just value set as oauth2RedirectUri before using as an hauth2:OAuth2 value"
+        Just uri -> uri
+    }
+
+runFetchAccessToken
+  :: MonadIO m
+  => OAuth2.ClientAuthenticationMethod
+  -> Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> m (Either TokenResponseError TokenResponse)
+runFetchAccessToken am m o e = runExceptT $ OAuth2.fetchAccessTokenWithAuthMethod am m (getOAuth2 o) e
--- a/src/Yesod/Auth/OAuth2.hs
+++ b/src/Yesod/Auth/OAuth2.hs
@ -11,13 +11,13 @@ module Yesod.Auth.OAuth2
  ( OAuth2 (..)
  , FetchCreds
  , Manager
-  , OAuth2Token (..)
+  , TokenResponse
  , Creds (..)
  , oauth2Url
  , authOAuth2
  , authOAuth2Widget

-    -- * Alternatives that use 'fetchAccessToken2'
+    -- * Alternatives that use 'fetchAccessTokenPost'
  , authOAuth2'
  , authOAuth2Widget'

@ -49,7 +49,7 @@ oauth2Url name = PluginR name ["forward"]
 authOAuth2 :: YesodAuth m => Text -> OAuth2 -> FetchCreds m -> AuthPlugin m
 authOAuth2 name = authOAuth2Widget [whamlet|Login via #{name}|] name

-- | A version of 'authOAuth2' that uses 'fetchAccessToken2'
+-- | A version of 'authOAuth2' that uses 'fetchAccessTokenPost'
 --
 -- See <https://github.com/thoughtbot/yesod-auth-oauth2/pull/129>
 authOAuth2' :: YesodAuth m => Text -> OAuth2 -> FetchCreds m -> AuthPlugin m
@ -66,9 +66,9 @@ authOAuth2Widget
  -> OAuth2
  -> FetchCreds m
  -> AuthPlugin m
-authOAuth2Widget = buildPlugin fetchAccessToken
+authOAuth2Widget = buildPlugin fetchAccessTokenBasic

-- | A version of 'authOAuth2Widget' that uses 'fetchAccessToken2'
+-- | A version of 'authOAuth2Widget' that uses 'fetchAccessTokenPost'
 --
 -- See <https://github.com/thoughtbot/yesod-auth-oauth2/pull/129>
 authOAuth2Widget'
@ -78,7 +78,7 @@ authOAuth2Widget'
  -> OAuth2
  -> FetchCreds m
  -> AuthPlugin m
-authOAuth2Widget' = buildPlugin fetchAccessToken2
+authOAuth2Widget' = buildPlugin fetchAccessTokenPost

 buildPlugin
  :: YesodAuth m
--- a/src/Yesod/Auth/OAuth2/Auth0.hs
+++ b/src/Yesod/Auth/OAuth2/Auth0.hs
@ -52,7 +52,7 @@ oauth2Auth0HostScopes host scopes clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          host `withPath` "/authorize" `withQuery` [scopeParam " " scopes]
      , oauth2TokenEndpoint = host `withPath` "/oauth/token"
--- a/src/Yesod/Auth/OAuth2/AzureAD.hs
+++ b/src/Yesod/Auth/OAuth2/AzureAD.hs
@ -48,7 +48,7 @@ oauth2AzureADScoped scopes clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://login.windows.net/common/oauth2/authorize"
            `withQuery` [ scopeParam "," scopes
--- a/src/Yesod/Auth/OAuth2/AzureADv2.hs
+++ b/src/Yesod/Auth/OAuth2/AzureADv2.hs
@ -89,7 +89,7 @@ oauth2AzureADv2ScopedWidget widget scopes tenantId clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          tenantUrl "/authorize" `withQuery` [scopeParam " " scopes]
      , oauth2TokenEndpoint = tenantUrl "/token"
--- a/src/Yesod/Auth/OAuth2/BattleNet.hs
+++ b/src/Yesod/Auth/OAuth2/BattleNet.hs
@ -53,7 +53,7 @@ oauth2BattleNet widget region clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint = fromRelative "https" host "/oauth/authorize"
      , oauth2TokenEndpoint = fromRelative "https" host "/oauth/token"
      , oauth2RedirectUri = Nothing
--- a/src/Yesod/Auth/OAuth2/Bitbucket.hs
+++ b/src/Yesod/Auth/OAuth2/Bitbucket.hs
@ -55,7 +55,7 @@ oauth2BitbucketScoped scopes clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://bitbucket.com/site/oauth2/authorize"
            `withQuery` [scopeParam "," scopes]
--- a/src/Yesod/Auth/OAuth2/ClassLink.hs
+++ b/src/Yesod/Auth/OAuth2/ClassLink.hs
@ -43,7 +43,7 @@ oauth2ClassLinkScoped scopes clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://launchpad.classlink.com/oauth2/v2/auth"
            `withQuery` [scopeParam "," scopes]
--- a/src/Yesod/Auth/OAuth2/Dispatch.hs
+++ b/src/Yesod/Auth/OAuth2/Dispatch.hs
@ -6,8 +6,8 @@

 module Yesod.Auth.OAuth2.Dispatch
  ( FetchToken
-  , fetchAccessToken
-  , fetchAccessToken2
+  , fetchAccessTokenBasic
+  , fetchAccessTokenPost
  , FetchCreds
  , dispatchAuthRequest
  ) where
@ -31,10 +31,13 @@ import Yesod.Core hiding (ErrorResponse)
 --
 -- This will be 'fetchAccessToken' or 'fetchAccessToken2'
 type FetchToken =
-  Manager -> OAuth2 -> ExchangeToken -> IO (OAuth2Result Errors OAuth2Token)
+  Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> IO (Either TokenResponseError TokenResponse)

 -- | How to take an @'OAuth2Token'@ and retrieve user credentials
-type FetchCreds m = Manager -> OAuth2Token -> IO (Creds m)
+type FetchCreds m = Manager -> TokenResponse -> IO (Creds m)

 -- | Dispatch the various OAuth2 handshake routes
 dispatchAuthRequest
--- a/src/Yesod/Auth/OAuth2/DispatchError.hs
+++ b/src/Yesod/Auth/OAuth2/DispatchError.hs
@ -16,7 +16,7 @@ module Yesod.Auth.OAuth2.DispatchError

 import Control.Monad.Except
 import Data.Text (Text, pack)
-import Network.OAuth.OAuth2.Compat (Errors)
+import Network.OAuth.OAuth2.Compat (TokenResponseError)
 import UnliftIO.Except ()
 import UnliftIO.Exception
 import Yesod.Auth hiding (ServerError)
@ -30,7 +30,7 @@ data DispatchError
  | InvalidStateToken (Maybe Text) Text
  | InvalidCallbackUri Text
  | OAuth2HandshakeError ErrorResponse
-  | OAuth2ResultError Errors
+  | OAuth2ResultError TokenResponseError
  | FetchCredsIOException IOException
  | FetchCredsYesodOAuth2Exception YesodOAuth2Exception
  | OtherDispatchError Text
--- a/src/Yesod/Auth/OAuth2/EveOnline.hs
+++ b/src/Yesod/Auth/OAuth2/EveOnline.hs
@ -76,7 +76,7 @@ oauth2EveScoped scopes widgetType clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://login.eveonline.com/oauth/authorize"
            `withQuery` [("response_type", "code"), scopeParam " " scopes]
--- a/src/Yesod/Auth/OAuth2/Exception.hs
+++ b/src/Yesod/Auth/OAuth2/Exception.hs
@ -1,5 +1,3 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-
 module Yesod.Auth.OAuth2.Exception
  ( YesodOAuth2Exception (..)
  ) where
@ -21,6 +19,6 @@ data YesodOAuth2Exception
    --
    -- Plugin name and error message.
    GenericError Text String
-  deriving (Show, Typeable)
+  deriving (Show)

 instance Exception YesodOAuth2Exception
--- a/src/Yesod/Auth/OAuth2/GitHub.hs
+++ b/src/Yesod/Auth/OAuth2/GitHub.hs
@ -61,7 +61,7 @@ oauth2GitHubScopedWidget widget scopes clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://github.com/login/oauth/authorize"
            `withQuery` [scopeParam "," scopes]
--- a/src/Yesod/Auth/OAuth2/GitLab.hs
+++ b/src/Yesod/Auth/OAuth2/GitLab.hs
@ -53,7 +53,7 @@ oauth2GitLabHostScopes host scopes clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          host `withPath` "/oauth/authorize" `withQuery` [scopeParam " " scopes]
      , oauth2TokenEndpoint = host `withPath` "/oauth/token"
--- a/src/Yesod/Auth/OAuth2/Google.hs
+++ b/src/Yesod/Auth/OAuth2/Google.hs
@ -80,7 +80,7 @@ oauth2GoogleScopedWidget widget scopes clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://accounts.google.com/o/oauth2/auth"
            `withQuery` [scopeParam " " scopes]
--- a/src/Yesod/Auth/OAuth2/Nylas.hs
+++ b/src/Yesod/Auth/OAuth2/Nylas.hs
@ -55,7 +55,7 @@ oauth2Nylas clientId clientSecret =
  oauth =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://api.nylas.com/oauth/authorize"
            `withQuery` [ ("response_type", "code")
--- a/src/Yesod/Auth/OAuth2/ORCID.hs
+++ b/src/Yesod/Auth/OAuth2/ORCID.hs
@ -41,7 +41,7 @@ oauth2ORCID clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://orcid.org/oauth/authorize"
            `withQuery` [scopeParam " " ["openid"]]
--- a/src/Yesod/Auth/OAuth2/Prelude.hs
+++ b/src/Yesod/Auth/OAuth2/Prelude.hs
@ -30,7 +30,12 @@ module Yesod.Auth.OAuth2.Prelude

    -- * OAuth2
  , OAuth2 (..)
-  , OAuth2Token (..)
+  , TokenResponse
+  , accessToken
+  , refreshToken
+  , expiresIn
+  , tokenType
+  , idToken
  , AccessToken (..)
  , RefreshToken (..)

@ -78,7 +83,7 @@ authGetProfile
  :: FromJSON a
  => Text
  -> Manager
-  -> OAuth2Token
+  -> TokenResponse
  -> URI
  -> IO (a, BL.ByteString)
 authGetProfile name manager token url = do
@ -114,7 +119,7 @@ scopeParam d = ("scope",) . encodeUtf8 . T.intercalate d
 -- May set the following keys:
 --
 -- - @refreshToken@: if the provider supports refreshing the @accessToken@
-setExtra :: OAuth2Token -> BL.ByteString -> [(Text, Text)]
+setExtra :: TokenResponse -> BL.ByteString -> [(Text, Text)]
 setExtra token userResponse =
  [ ("accessToken", atoken $ accessToken token)
  , ("userResponse", decodeUtf8 $ BL.toStrict userResponse)
--- a/src/Yesod/Auth/OAuth2/Salesforce.hs
+++ b/src/Yesod/Auth/OAuth2/Salesforce.hs
@ -76,7 +76,7 @@ salesforceHelper name profileUri authorizeUri tokenUri scopes clientId clientSec
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint = authorizeUri `withQuery` [scopeParam " " scopes]
      , oauth2TokenEndpoint = tokenUri
      , oauth2RedirectUri = Nothing
--- a/src/Yesod/Auth/OAuth2/Slack.hs
+++ b/src/Yesod/Auth/OAuth2/Slack.hs
@ -74,7 +74,7 @@ oauth2SlackScoped scopes clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://slack.com/oauth/authorize"
            `withQuery` [scopeParam "," $ map scopeText scopes]
--- a/src/Yesod/Auth/OAuth2/Spotify.hs
+++ b/src/Yesod/Auth/OAuth2/Spotify.hs
@ -37,7 +37,7 @@ oauth2Spotify scopes clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://accounts.spotify.com/authorize"
            `withQuery` [scopeParam " " scopes]
--- a/src/Yesod/Auth/OAuth2/Twitch.hs
+++ b/src/Yesod/Auth/OAuth2/Twitch.hs
@ -49,7 +49,7 @@ oauth2TwitchScoped scopes clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://id.twitch.tv/oauth2/authorize"
            `withQuery` [scopeParam " " scopes]
--- a/src/Yesod/Auth/OAuth2/Upcase.hs
+++ b/src/Yesod/Auth/OAuth2/Upcase.hs
@ -44,7 +44,7 @@ oauth2Upcase clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint = "http://upcase.com/oauth/authorize"
      , oauth2TokenEndpoint = "http://upcase.com/oauth/token"
      , oauth2RedirectUri = Nothing
--- a/src/Yesod/Auth/OAuth2/WordPressDotCom.hs
+++ b/src/Yesod/Auth/OAuth2/WordPressDotCom.hs
@ -41,7 +41,7 @@ oauth2WordPressDotCom clientId clientSecret =
  oauth2 =
    OAuth2
      { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
      , oauth2AuthorizeEndpoint =
          "https://public-api.wordpress.com/oauth2/authorize"
            `withQuery` [scopeParam "," ["auth"]]
--- a/stack-hoauth2-2.0.yaml
+++ b/stack-hoauth2-2.0.yaml
@ -1,4 +0,0 @@
-resolver: lts-18.28
-extra-deps:
-  - crypton-1.0.0
-  - hoauth2-2.0.0
--- a/stack-hoauth2-2.0.yaml.lock
+++ b/stack-hoauth2-2.0.yaml.lock
@ -1,26 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
- completed:
-    hackage: hoauth2-2.0.0@sha256:4686d776272d4c57d3c8dbeb9e58b04afe4d2b410382011bd78a3d2bfb08a3fe,5662
-    pantry-tree:
-      sha256: 291b3dd90854ef44f270519ec17e34b6778f8430f6d6517bd67b0128bd549553
-      size: 2171
-  original:
-    hackage: hoauth2-2.0.0
-snapshots:
- completed:
-    sha256: 428ec8d5ce932190d3cbe266b9eb3c175cd81e984babf876b64019e2cbe4ea68
-    size: 590100
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/18/28.yaml
-  original: lts-18.28
--- a/stack-hoauth2-2.2.yaml
+++ b/stack-hoauth2-2.2.yaml
@ -1,4 +0,0 @@
-resolver: nightly-2022-02-25
-extra-deps:
-  - crypton-1.0.0
-  - hoauth2-2.2.0
--- a/stack-hoauth2-2.2.yaml.lock
+++ b/stack-hoauth2-2.2.yaml.lock
@ -1,26 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
- completed:
-    hackage: hoauth2-2.2.0@sha256:83a96156717d9e2c93394b35bef4151f82b90dc88b83d0e35c0bf1158bd41c6c,2801
-    pantry-tree:
-      sha256: d6e2d12e0e66eb9392301ec97d50677afb71608568f3664eb466a4451c66ba59
-      size: 593
-  original:
-    hackage: hoauth2-2.2.0
-snapshots:
- completed:
-    sha256: b18614ab8986a4ba6d469921a2c18decab244af78309effa3d2dab85dbdfef80
-    size: 611886
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/nightly/2022/2/25.yaml
-  original: nightly-2022-02-25
--- a/stack-hoauth2-2.3.yaml
+++ b/stack-hoauth2-2.3.yaml
@ -1,4 +0,0 @@
-resolver: nightly-2022-02-25
-extra-deps:
-  - crypton-1.0.0
-  - hoauth2-2.3.0
--- a/stack-hoauth2-2.3.yaml.lock
+++ b/stack-hoauth2-2.3.yaml.lock
@ -1,26 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
- completed:
-    hackage: hoauth2-2.3.0@sha256:213744356007a4686ff3bb72105843d478bc0ba6229659429cbe241a99f55095,2816
-    pantry-tree:
-      sha256: e559c811165a2e75cfe649b68396466b3bd0b6a5353a9d6476605e6a40e0eb37
-      size: 594
-  original:
-    hackage: hoauth2-2.3.0
-snapshots:
- completed:
-    sha256: b18614ab8986a4ba6d469921a2c18decab244af78309effa3d2dab85dbdfef80
-    size: 611886
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/nightly/2022/2/25.yaml
-  original: nightly-2022-02-25
--- a/stack-hoauth2-2.6.yaml
+++ b/stack-hoauth2-2.6.yaml
@ -1,7 +0,0 @@
-resolver: nightly-2022-12-09
-extra-deps:
-  - crypton-1.0.0
-  - hoauth2-2.6.0
-allow-newer: true
-allow-newer-deps:
-  - hoauth2 # allow newer memory and text
--- a/stack-hoauth2-2.6.yaml.lock
+++ b/stack-hoauth2-2.6.yaml.lock
@ -1,26 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
- completed:
-    hackage: hoauth2-2.6.0@sha256:168321df73bf75dc7cdda8e72725e9f3f624a9776b1fe59ae46c29c45029dc5d,2262
-    pantry-tree:
-      sha256: 5d39759b171cfaaf5842069a5548c2c1a41c0978645d018da7df713a186192b5
-      size: 859
-  original:
-    hackage: hoauth2-2.6.0
-snapshots:
- completed:
-    sha256: b77e2c2b7988ed34cd317c01eb1958a8b8c234c3cc17e44077616c212959bed0
-    size: 558756
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/nightly/2022/12/9.yaml
-  original: nightly-2022-12-09
--- a/stack-lts-16.31.yaml
+++ b/stack-lts-16.31.yaml
@ -1,3 +0,0 @@
-resolver: lts-16.31
-extra-deps:
-  - crypton-1.0.0
--- a/stack-lts-16.31.yaml.lock
+++ b/stack-lts-16.31.yaml.lock
@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-snapshots:
- completed:
-    sha256: 637fb77049b25560622a224845b7acfe81a09fdb6a96a3c75997a10b651667f6
-    size: 534126
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/16/31.yaml
-  original: lts-16.31
--- a/stack-lts-18.28.yaml
+++ b/stack-lts-18.28.yaml
@ -1,3 +0,0 @@
-resolver: lts-18.28
-extra-deps:
-  - crypton-1.0.0
--- a/stack-lts-18.28.yaml.lock
+++ b/stack-lts-18.28.yaml.lock
@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-snapshots:
- completed:
-    sha256: 428ec8d5ce932190d3cbe266b9eb3c175cd81e984babf876b64019e2cbe4ea68
-    size: 590100
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/18/28.yaml
-  original: lts-18.28
--- a/stack-lts-19.33.yaml
+++ b/stack-lts-19.33.yaml
@ -1,3 +0,0 @@
-resolver: lts-19.33
-extra-deps:
-  - crypton-1.0.0
--- a/stack-lts-19.33.yaml.lock
+++ b/stack-lts-19.33.yaml.lock
@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-snapshots:
- completed:
-    sha256: 6d1532d40621957a25bad5195bfca7938e8a06d923c91bc52aa0f3c41181f2d4
-    size: 619204
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/19/33.yaml
-  original: lts-19.33
--- a/stack-lts-20.26.yaml
+++ b/stack-lts-20.26.yaml
@ -1,3 +0,0 @@
-resolver: lts-20.26
-extra-deps:
-  - crypton-1.0.0
--- a/stack-lts-20.26.yaml.lock
+++ b/stack-lts-20.26.yaml.lock
@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-snapshots:
- completed:
-    sha256: 5a59b2a405b3aba3c00188453be172b85893cab8ebc352b1ef58b0eae5d248a2
-    size: 650475
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/20/26.yaml
-  original: lts-20.26
--- a/stack-lts-21.25.yaml.lock
+++ b/stack-lts-21.25.yaml.lock
@ -1,12 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages: []
-snapshots:
- completed:
-    sha256: a81fb3877c4f9031e1325eb3935122e608d80715dc16b586eb11ddbff8671ecd
-    size: 640086
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/21/25.yaml
-  original: lts-21.25
--- a/stack-lts-21.25.yaml
+++ b/stack-lts-21.25.yaml
--- a/stack-lts22.yaml
+++ b/stack-lts22.yaml
@ -0,0 +1 @@
+resolver: lts-22.44
--- a/stack-lts23.yaml
+++ b/stack-lts23.yaml
@ -0,0 +1 @@
+resolver: lts-23.28
--- a/stack-lts24.yaml
+++ b/stack-lts24.yaml
@ -0,0 +1 @@
+resolver: lts-24.26
--- a/stack-nightly.yaml
+++ b/stack-nightly.yaml
@ -1,13 +1,4 @@
-resolver: nightly-2024-02-27
+resolver: nightly-2026-01-05
 extra-deps:
-  - yesod-auth-1.6.11.2
-
-  # For yesod-auth
-  - email-validate-2.3.2.19
-  - yesod-form-1.7.6
-  - yesod-1.6.2.1
  - cryptonite-0.30
-
-allow-newer: true
-allow-newer-deps:
-  - email-validate
+  - yesod-auth-1.6.11.3
--- a/stack-nightly.yaml.lock
+++ b/stack-nightly.yaml.lock
@ -1,40 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: yesod-auth-1.6.11.2@sha256:c580afaccc311ad90fc8a90210b5cf998d95350ddffb622e45282d9b640cf519,3108
-    pantry-tree:
-      sha256: 58e36ca675fc01109915342d4df9cb2680fd37ff20919d84694cdd1d52eb7dc3
-      size: 1013
-  original:
-    hackage: yesod-auth-1.6.11.2
- completed:
-    hackage: email-validate-2.3.2.19@sha256:206a835fe99a79f2360c576e3594d8add82d2f1e001d58b49a60f60233da2bf5,1380
-    pantry-tree:
-      sha256: 391475ca7c84d59b1d8de362856acd2f56321d29d54ffcd05ed2a170d4e62692
-      size: 419
-  original:
-    hackage: email-validate-2.3.2.19
- completed:
-    hackage: yesod-form-1.7.6@sha256:42219f2c4feaa2de32280c0b8f98db818f993152693a79960808fd3001a4c0e2,3434
-    pantry-tree:
-      sha256: 8a48fc861796a61cf6abd2087fedd86844ba5c3e11c89c74d2d04c4656d69997
-      size: 1797
-  original:
-    hackage: yesod-form-1.7.6
- completed:
-    hackage: yesod-1.6.2.1@sha256:504bc888257dae9bb40f4cd1e1110c4e80dfe7b867e8e207b22c4ca4dbd87f9a,2030
-    pantry-tree:
-      sha256: 5a78fa0c6e7dcb46c9acd687ab9409c8fcda0d59b930e2a93e5dc44128c740ec
-      size: 618
-  original:
-    hackage: yesod-1.6.2.1
-snapshots:
- completed:
-    sha256: e596f5467d31095fd7b9f750e82aeffe012e38e795c13e1cdc945c9cab928085
-    size: 604415
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/nightly/2024/2/27.yaml
-  original: nightly-2024-02-27
--- a/stack.yaml
+++ b/stack.yaml
@ -1 +0,0 @@
-resolver: lts-22.12
--- a/stack.yaml
+++ b/stack.yaml
@ -0,0 +1 @@
+stack-lts24.yaml
--- a/stack.yaml.lock
+++ b/stack.yaml.lock
@ -1,12 +1,12 @@
 # This file was autogenerated by Stack.
 # You should not edit this file by hand.
 # For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
+#   https://docs.haskellstack.org/en/stable/topics/lock_files

 packages: []
 snapshots:
 - completed:
-    sha256: e2c529ccfb21501f98f639e056cbde50470b86256d9849d7a82d414ca23e4276
-    size: 712898
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/22/12.yaml
-  original: lts-22.12
+    sha256: d90eb1418667a225998b173817300e5ae2e1500ed03c0a9457cc2a0e78a0122a
+    size: 726337
+    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/24/26.yaml
+  original: lts-24.26
--- a/yesod-auth-oauth2.cabal
+++ b/yesod-auth-oauth2.cabal
@ -1,10 +1,10 @@
 cabal-version: 1.18

-- This file has been generated from package.yaml by hpack version 0.37.0.
+-- This file has been generated from package.yaml by hpack version 0.38.1.
 --
 -- see: https://github.com/sol/hpack
 --
-- hash: 6df1b551d88fc83903790620d83c1f4f549b14ab976cd46cb6bfb1e26722cf4f
+-- hash: dc142db361fed3689429889b831a2a76c4bb29da073c24340afacf62d3c14faa

 name:           yesod-auth-oauth2
 version:        0.7.4.0
@ -74,7 +74,7 @@ library
    , bytestring >=0.9.1.4
    , crypton
    , errors
-    , hoauth2 >=1.11.0
+    , hoauth2 >=2.8.0
    , http-client >=0.4.0
    , http-conduit >=2.0
    , http-types >=0.8