From ef7c4228023298e112402a883e54fbe1718eb62d Mon Sep 17 00:00:00 2001
From: nbloomf <nathan.bloomfield@automattic.com>
Date: Tue, 7 Jul 2020 23:50:23 -0500
Subject: [PATCH 1/2] Bump version bounds for dependency hoauth2

We're about to replace the call to `fetchAccessToken` from hoauth2 by `fetchAccessToken2`, which was introduced in 1.7.0 and amended in 1.11.0, to allow for oauth2 implementations that expect POST token payloads. Either the initial or the amended version of `fetchAccessToken2` would work for this, but here we've chosen the most conservative working version bump.
---
 package.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.yaml b/package.yaml
index 552f81a..d31f6ca 100644
--- a/package.yaml
+++ b/package.yaml
@@ -25,7 +25,7 @@ library:
     - aeson >=0.6 && <1.5
     - bytestring >=0.9.1.4
     - errors
-    - hoauth2 >=1.3.0 && <1.9
+    - hoauth2 >=1.7.0 && <1.11
     - http-client >=0.4.0 && <0.7
     - http-conduit >=2.0 && <3.0
     - http-types >=0.8 && <0.13

From f4e57ab7c53e4524201596ec2e5db95e8f19ca10 Mon Sep 17 00:00:00 2001
From: nbloomf <nathan.bloomfield@automattic.com>
Date: Wed, 8 Jul 2020 00:05:14 -0500
Subject: [PATCH 2/2] Replace call to `fetchAccessToken` with
 `fetchAccessToken2`

This comment comes from hoauth2:

-- OAuth2 spec allows `client_id` and `client_secret` to
-- either be sent in the header (as basic authentication)
-- OR as form/url params.
-- The OAuth server can choose to implement only one, or both.
-- Unfortunately, there is no way for the OAuth client (i.e. this library) to
-- know which method to use. Please take a look at the documentation of the
-- service that you are integrating with and either use `fetchAccessToken` or `fetchAccessToken2`

`fetchAccessToken2` is a drop-in replacement for `fetchAccessToken` that just adds `client_id` and `client_secret` to the body as form parameters, as permitted by [RFC 6749](https://tools.ietf.org/html/rfc6749#section-2.3.1). Some authorization server implementations only accept client credentials in this form.
---
 src/Yesod/Auth/OAuth2/Dispatch.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Yesod/Auth/OAuth2/Dispatch.hs b/src/Yesod/Auth/OAuth2/Dispatch.hs
index f96581a..9011758 100644
--- a/src/Yesod/Auth/OAuth2/Dispatch.hs
+++ b/src/Yesod/Auth/OAuth2/Dispatch.hs
@@ -67,7 +67,7 @@ dispatchCallback name oauth2 getCreds = do
     code <- requireGetParam "code"
     manager <- authHttpManager
     oauth2' <- withCallbackAndState name oauth2 csrf
-    token <- errLeft $ fetchAccessToken manager oauth2' $ ExchangeToken code
+    token <- errLeft $ fetchAccessToken2 manager oauth2' $ ExchangeToken code
     creds <- errLeft $ tryFetchCreds $ getCreds manager token
     setCredsRedirect creds
   where