Fix STACK_YAML in release

We removed some resolvers, so we need to update the minimum that's used
here.

.env.example

@@ -1,3 +1,4 @@
+# shellcheck disable=SC2034
 #
 # Copy this file to .env and update the credentials for the providers you are
 # trying to test. These variables must all have non-empty values for the
@@ -5,9 +6,18 @@
 # you plan to try.
 #
 ###
+
+AUTH0_HOST=x
+AUTH0_CLIENT_ID=x
+AUTH0_CLIENT_SECRET=x
+
 AZURE_AD_CLIENT_ID=x
 AZURE_AD_CLIENT_SECRET=x
 
+AZURE_ADV2_TENANT_ID=x
+AZURE_ADV2_CLIENT_ID=x
+AZURE_ADV2_CLIENT_SECRET=x
+
 BATTLE_NET_CLIENT_ID=x
 BATTLE_NET_CLIENT_SECRET=x
 
@@ -41,6 +51,9 @@ SLACK_CLIENT_SECRET=x
 SPOTIFY_CLIENT_ID=x
 SPOTIFY_CLIENT_SECRET=x
 
+TWITCH_CLIENT_ID=x
+TWITCH_CLIENT_SECRET=x
+
 UPCASE_CLIENT_ID=x
 UPCASE_CLIENT_SECRET=x
 

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @freckle/backenders

.github/workflows/add-asana-comment.yml.bak

@@ -0,0 +1,16 @@
+name: Asana
+
+on:
+  pull_request:
+    types: [opened]
+
+jobs:
+  link-asana-task:
+    if: ${{ github.actor != 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: Asana/create-app-attachment-github-action@v1.3
+        id: postAttachment
+        with:
+          asana-secret: ${{ secrets.ASANA_API_ACCESS_KEY }}
+      - run: echo "Status is ${{ steps.postAttachment.outputs.status }}"

.github/workflows/ci.yml

@@ -5,37 +5,45 @@ on:
   push:
     branches: main
 
-jobs:
-  test:
-    runs-on: ubuntu-latest
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
+permissions:
+  contents: read
+
+jobs:
+  generate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - id: generate
+        uses: freckle/stack-action/generate-matrix@v5
+    outputs:
+      stack-yamls: ${{ steps.generate.outputs.stack-yamls }}
+
+  test:
+    needs: generate
     strategy:
       matrix:
-        stack-yaml:
-          - stack.yaml
-          - stack-hoauth2-2.0.yaml
-          - stack-lts-17.4.yaml
-          - stack-lts-16.10.yaml
-          - stack-lts-13.2.yaml
+        stack-yaml: ${{ fromJSON(needs.generate.outputs.stack-yamls) }}
       fail-fast: false
 
+    runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v2
-      - uses: freckle/stack-cache-action@v2
+      - uses: actions/checkout@v5
+      - uses: freckle/stack-action@v5
         with:
-          stack-yaml: ${{ matrix.stack-yaml }}
-      - uses: freckle/stack-action@v3
-        with:
-          stack-yaml: ${{ matrix.stack-yaml }}
-          stack-arguments: --flag yesod-auth-oauth2:example
+          stack-build-arguments: --flag yesod-auth-oauth2:example
+        env:
+          STACK_YAML: ${{ matrix.stack-yaml }}
 
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - run:
-          curl --output .hlint.yaml https://raw.githubusercontent.com/pbrisbin/dotfiles/master/hlint.yaml
-      - uses: rwe/actions-hlint-setup@v1
-      - uses: rwe/actions-hlint-run@v2
+      - uses: actions/checkout@v5
+      - uses: haskell-actions/hlint-setup@v2
+      - uses: haskell-actions/hlint-run@v2
         with:
           fail-on: warning

.github/workflows/release.yml

@@ -8,16 +8,15 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
 
       - id: tag
-        uses: freckle/haskell-tag-action@main
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: freckle/haskell-tag-action@v1
 
       - if: steps.tag.outputs.tag
-        uses: freckle/stack-upload-action@main
-        with:
-          pvp-bounds: lower
+        run: stack upload --pvp-bounds lower .
         env:
-          HACKAGE_API_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
+          HACKAGE_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
+
+          # Use minimum LTS to set lowest lower bounds
+          STACK_YAML: stack-lts21.yaml

.gitignore

@@ -1,4 +1,5 @@
 .stack-work
+TAGS
 
 # OAuth keys configuration for the example
 .env*

.restyled.yaml

@@ -1,10 +1,4 @@
 restylers:
-  - brittany:
-      include:
-        - "**/*.hs"
-        - "!src/Network/OAuth/OAuth2/Compat.hs" # CPP
-  - stylish-haskell:
-      include:
-        - "**/*.hs"
-        - "!src/Network/OAuth/OAuth2/Compat.hs" # CPP
+  - fourmolu
+  - "!stylish-haskell"
   - "*"

.stack-all

@@ -0,0 +1,2 @@
+[versions]
+oldest = lts-21

.stylish-haskell.yaml

@@ -1,21 +0,0 @@
-steps:
-  - simple_align:
-      cases: false
-      top_level_patterns: false
-      records: false
-  - imports:
-      align: none
-      list_align: after_alias
-      pad_module_names: false
-      long_list_align: new_line_multiline
-      empty_list_align: right_after
-      list_padding: 4
-      separate_lists: false
-      space_surround: false
-  - language_pragmas:
-      style: vertical
-      align: false
-      remove_redundant: true
-  - trailing_whitespace: {}
-columns: 80
-newline: native

CHANGELOG.md

@@ -1,6 +1,62 @@
-## [_Unreleased_](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.0.0...main)
+## [_Unreleased_](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.8.0.0...main)
 
-None
+## [v0.8.0.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.4.0...v0.8.0.0)
+
+- Drop support for GHC < 9.4 and hoauth2 < 2.8
+- Add support for GHC 9.12 and hoauth2-2.15
+- To align our interfaces with hoauth2-2.15:
+  - Make `OAuth2 {clientSecret}` non-`Maybe`
+  - Replace `OAuthToken` with `TokenResponse`
+  - Replace `Errors` with `TokenResponseError`
+  - Replace `fetchAccessToken{,2}` with `fetchAccessToken{Basic,Post}`
+
+While technically a major version bump, this change should only affect those
+users that maintain their own plugins.
+
+## [v0.7.4.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.3.0...v0.7.4.0)
+
+- Add `oauth2AzureADv2Widget` and `oauth2AzureADv2ScopedWidget`
+
+## [v0.7.3.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.2.0...v0.7.3.0)
+
+- Add ORCID provider
+- Drop support for LTS-12 / GHC-8.6
+- Replace `cryptonite` with `crypton`
+
+## [v0.7.2.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.3...v0.7.2.0)
+
+- Add `oauth2GitHubWidget` and `oauth2GitHubScopedWidget`
+  [@jaanisfehling](https://github.com/freckle/yesod-auth-oauth2/pull/181)
+
+## [v0.7.1.3](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.2...v0.7.1.3)
+
+- Add support (with caveats) for relative approots
+  [@cptrodolfox](https://github.com/freckle/yesod-auth-oauth2/pull/178)
+
+## [v0.7.1.2](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.1...v0.7.1.2)
+
+- Support `hoauth2-2.9`.
+
+## [v0.7.1.1](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.0...v0.7.1.1)
+
+- Support `mtl-2.3`, which no longer re-exports `Control.Monad`
+
+## [v0.7.1.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.0.3...v0.7.1.0)
+
+- Add `AzureADv2` provider
+
+## [v0.7.0.3](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.0.2...v0.7.0.3)
+
+- Support `hoauth-2.7`. This change is only breaking in the unlikely case of users
+  using something other than `fetchAccessToken` or `fetchAccessToken2`
+
+## [v0.7.0.2](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.0.1...v0.7.0.2)
+
+- Add Auth0 provider ([@hw202207](https://github.com/freckle/yesod-auth-oauth2/pull/162))
+
+## [v0.7.0.1](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.0.0...v0.7.0.1)
+
+- Support `hoauth-2.2` and `2.3`
 
 ## [v0.7.0.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.3.4...v0.7.0.0)
 

README.md

@@ -1,5 +1,10 @@
 # Yesod.Auth.OAuth2
 
+[![Hackage](https://img.shields.io/hackage/v/yesod-auth-oauth2.svg?style=flat)](https://hackage.haskell.org/package/yesod-auth-oauth2)
+[![Stackage Nightly](http://stackage.org/package/yesod-auth-oauth2/badge/nightly)](http://stackage.org/nightly/package/yesod-auth-oauth2)
+[![Stackage LTS](http://stackage.org/package/yesod-auth-oauth2/badge/lts)](http://stackage.org/lts/package/yesod-auth-oauth2)
+[![CI](https://github.com/freckle/yesod-auth-oauth2/actions/workflows/ci.yml/badge.svg)](https://github.com/pbrisbin/freckle/yesod-auth-oauth2/workflows/ci.yml)
+
 OAuth2 `AuthPlugin`s for Yesod.
 
 ## Usage
@@ -112,6 +117,26 @@ stack build --pedantic --test
 
 Please also run HLint and Weeder before submitting PRs.
 
+## Example
+
+This project includes an executable that runs a server with (almost) all
+supported providers present.
+
+To use:
+
+1. `cp .env.example .env` and edit in secrets for providers you wish to test
+
+   Be sure to include `http://localhost:3000/auth/page/{plugin}/callback` as a
+   valid Redirect URI when configuring the OAuth application.
+
+2. Build with the example: `stack build ... --flag yesod-auth-oauth2:example`
+3. Run the example `stack exec yesod-auth-oauth2-example`
+4. Visit the example: `$BROWSER http://localhost:3000`
+5. Click the log-in link for the provider you configured
+
+If successful, you will be presented with a page that shows the credential and
+User response value.
+
 ---
 
 [CHANGELOG](./CHANGELOG.md) | [LICENSE](./LICENSE)

example/Main.hs

@@ -6,19 +6,6 @@
 {-# LANGUAGE TypeApplications #-}
 {-# LANGUAGE TypeFamilies #-}
 
--- |
---
--- This single-file Yesod app uses all plugins defined within this site, as a
--- means of manual verification that they work. When adding a new plugin, add
--- usage of it here and verify locally that it works.
---
--- To do so, see @.env.example@, then:
---
--- > stack build --flag yesod-auth-oauth2:example
--- > stack exec yesod-auth-oauth2-example
--- >
--- > $BROWSER http://localhost:3000
---
 module Main where
 
 import Data.Aeson
@@ -26,7 +13,8 @@ import Data.Aeson.Encode.Pretty
 import Data.ByteString.Lazy (fromStrict, toStrict)
 import qualified Data.Map as M
 import Data.Maybe (fromJust)
-import Data.Text (Text)
+import Data.String (IsString (fromString))
+import Data.Text (Text, pack)
 import qualified Data.Text as T
 import Data.Text.Encoding (decodeUtf8)
 import LoadEnv
@@ -35,7 +23,9 @@ import Network.Wai.Handler.Warp (runEnv)
 import System.Environment (getEnv)
 import Yesod
 import Yesod.Auth
+import Yesod.Auth.OAuth2.Auth0
 import Yesod.Auth.OAuth2.AzureAD
+import Yesod.Auth.OAuth2.AzureADv2
 import Yesod.Auth.OAuth2.BattleNet
 import Yesod.Auth.OAuth2.Bitbucket
 import Yesod.Auth.OAuth2.ClassLink
@@ -44,68 +34,73 @@ import Yesod.Auth.OAuth2.GitHub
 import Yesod.Auth.OAuth2.GitLab
 import Yesod.Auth.OAuth2.Google
 import Yesod.Auth.OAuth2.Nylas
+import Yesod.Auth.OAuth2.ORCID
 import Yesod.Auth.OAuth2.Salesforce
 import Yesod.Auth.OAuth2.Slack
 import Yesod.Auth.OAuth2.Spotify
+import Yesod.Auth.OAuth2.Twitch
 import Yesod.Auth.OAuth2.Upcase
 import Yesod.Auth.OAuth2.WordPressDotCom
 
 data App = App
-    { appHttpManager :: Manager
-    , appAuthPlugins :: [AuthPlugin App]
-    }
+  { appHttpManager :: Manager
+  , appAuthPlugins :: [AuthPlugin App]
+  }
 
-mkYesod "App" [parseRoutes|
+mkYesod
+  "App"
+  [parseRoutes|
     / RootR GET
     /auth AuthR Auth getAuth
 |]
 
 instance Yesod App where
-    -- see https://github.com/thoughtbot/yesod-auth-oauth2/issues/87
-    approot = ApprootStatic "http://localhost:3000"
+  -- see https://github.com/thoughtbot/yesod-auth-oauth2/issues/87
+  approot = ApprootStatic "http://localhost:3000"
 
 instance YesodAuth App where
-    type AuthId App = Text
-    loginDest _ = RootR
-    logoutDest _ = RootR
+  type AuthId App = Text
+  loginDest _ = RootR
+  logoutDest _ = RootR
 
-    -- Disable any attempt to read persisted authenticated state
-    maybeAuthId = return Nothing
+  -- Disable any attempt to read persisted authenticated state
+  maybeAuthId = return Nothing
 
-    -- Copy the Creds response into the session for viewing after
-    authenticate c = do
-        mapM_ (uncurry setSession)
-            $ [("credsIdent", credsIdent c), ("credsPlugin", credsPlugin c)]
-            ++ credsExtra c
+  -- Copy the Creds response into the session for viewing after
+  authenticate c = do
+    mapM_ (uncurry setSession) $
+      [("credsIdent", credsIdent c), ("credsPlugin", credsPlugin c)]
+        ++ credsExtra c
 
-        return $ Authenticated "1"
+    return $ Authenticated "1"
 
-    authPlugins = appAuthPlugins
+  authPlugins = appAuthPlugins
 
 instance RenderMessage App FormMessage where
-    renderMessage _ _ = defaultFormMessage
+  renderMessage _ _ = defaultFormMessage
 
 -- brittany-disable-next-binding
 
 getRootR :: Handler Html
 getRootR = do
-    sess <- getSession
+  sess <- getSession
 
-    let
-        prettify
-            = decodeUtf8
-            . toStrict
-            . encodePretty
-            . fromJust
-            . decode @Value
-            . fromStrict
+  let
+    prettify =
+      decodeUtf8
+        . toStrict
+        . encodePretty
+        . fromJust
+        . decode @Value
+        . fromStrict
 
-        mCredsIdent = decodeUtf8 <$> M.lookup "credsIdent" sess
-        mCredsPlugin = decodeUtf8 <$> M.lookup "credsPlugin" sess
-        mAccessToken = decodeUtf8 <$> M.lookup "accessToken" sess
-        mUserResponse = prettify <$> M.lookup "userResponse" sess
+    mCredsIdent = decodeUtf8 <$> M.lookup "credsIdent" sess
+    mCredsPlugin = decodeUtf8 <$> M.lookup "credsPlugin" sess
+    mAccessToken = decodeUtf8 <$> M.lookup "accessToken" sess
+    mUserResponse = prettify <$> M.lookup "userResponse" sess
 
-    defaultLayout [whamlet|
+  defaultLayout
+    [whamlet|
         <h1>Yesod Auth OAuth2 Example
         <h2>
             <a href=@{AuthR LoginR}>Log in
@@ -126,37 +121,45 @@ getRootR = do
 
 mkFoundation :: IO App
 mkFoundation = do
-    loadEnv
+  loadEnv
 
-    appHttpManager <- newManager tlsManagerSettings
-    appAuthPlugins <- sequence
-        -- When Providers are added, add them here and update .env.example.
-        -- Nothing else should need changing.
-        --
-        -- FIXME: oauth2BattleNet is quite annoying!
-        --
-        [ loadPlugin oauth2AzureAD "AZURE_AD"
-        , loadPlugin (oauth2BattleNet [whamlet|TODO|] "en") "BATTLE_NET"
-        , loadPlugin oauth2Bitbucket "BITBUCKET"
-        , loadPlugin oauth2ClassLink "CLASSLINK"
-        , loadPlugin (oauth2Eve Plain) "EVE_ONLINE"
-        , loadPlugin oauth2GitHub "GITHUB"
-        , loadPlugin oauth2GitLab "GITLAB"
-        , loadPlugin oauth2Google "GOOGLE"
-        , loadPlugin oauth2Nylas "NYLAS"
-        , loadPlugin oauth2Salesforce "SALES_FORCE"
-        , loadPlugin oauth2Slack "SLACK"
-        , loadPlugin (oauth2Spotify []) "SPOTIFY"
-        , loadPlugin oauth2WordPressDotCom "WORDPRESS_DOT_COM"
-        , loadPlugin oauth2Upcase "UPCASE"
-        ]
+  auth0Host <- getEnv "AUTH0_HOST"
+  azureTenant <- getEnv "AZURE_ADV2_TENANT_ID"
 
-    return App { .. }
-  where
-    loadPlugin f prefix = do
-        clientId <- getEnv $ prefix <> "_CLIENT_ID"
-        clientSecret <- getEnv $ prefix <> "_CLIENT_SECRET"
-        pure $ f (T.pack clientId) (T.pack clientSecret)
+  appHttpManager <- newManager tlsManagerSettings
+  appAuthPlugins <-
+    sequence
+      -- When Providers are added, add them here and update .env.example.
+      -- Nothing else should need changing.
+      --
+      -- FIXME: oauth2BattleNet is quite annoying!
+      --
+      [ loadPlugin oauth2AzureAD "AZURE_AD"
+      , loadPlugin (oauth2AzureADv2 $ pack azureTenant) "AZURE_ADV2"
+      , loadPlugin (oauth2Auth0Host $ fromString auth0Host) "AUTH0"
+      , loadPlugin (oauth2BattleNet [whamlet|TODO|] "en") "BATTLE_NET"
+      , loadPlugin oauth2Bitbucket "BITBUCKET"
+      , loadPlugin oauth2ClassLink "CLASSLINK"
+      , loadPlugin (oauth2Eve Plain) "EVE_ONLINE"
+      , loadPlugin oauth2GitHub "GITHUB"
+      , loadPlugin oauth2GitLab "GITLAB"
+      , loadPlugin oauth2Google "GOOGLE"
+      , loadPlugin oauth2Nylas "NYLAS"
+      , loadPlugin oauth2Salesforce "SALES_FORCE"
+      , loadPlugin oauth2Slack "SLACK"
+      , loadPlugin (oauth2Spotify []) "SPOTIFY"
+      , loadPlugin oauth2Twitch "TWITCH"
+      , loadPlugin oauth2WordPressDotCom "WORDPRESS_DOT_COM"
+      , loadPlugin oauth2ORCID "ORCID"
+      , loadPlugin oauth2Upcase "UPCASE"
+      ]
+
+  return App {..}
+ where
+  loadPlugin f prefix = do
+    clientId <- getEnv $ prefix <> "_CLIENT_ID"
+    clientSecret <- getEnv $ prefix <> "_CLIENT_SECRET"
+    pure $ f (T.pack clientId) (T.pack clientSecret)
 
 main :: IO ()
 main = runEnv 3000 =<< toWaiApp =<< mkFoundation

fourmolu.yaml

@@ -0,0 +1,15 @@
+indentation: 2
+column-limit: 80 # ignored until v12 / ghc-9.6
+function-arrows: leading
+comma-style: leading # default
+import-export-style: leading
+indent-wheres: false # default
+record-brace-space: true
+newlines-between-decls: 1 # default
+haddock-style: single-line
+let-style: mixed
+in-style: left-align
+single-constraint-parens: never # ignored until v12 / ghc-9.6
+unicode: never # default
+respectful: true # default
+fixities: [] # default

package.yaml

@@ -1,6 +1,6 @@
 ---
 name: yesod-auth-oauth2
-version: 0.7.0.0
+version: 0.8.0.0
 synopsis: OAuth 2.0 authentication plugins
 description: Library to authenticate with OAuth 2.0 for Yesod web applications.
 category: Web
@@ -13,7 +13,7 @@ maintainer: engineering@freckle.com
 github: freckle/yesod-auth-oauth2
 homepage: http://github.com/freckle/yesod-auth-oauth2
 
-extra-source-files:
+extra-doc-files:
   - README.md
   - CHANGELOG.md
 
@@ -27,9 +27,9 @@ library:
   dependencies:
     - aeson >=0.6
     - bytestring >=0.9.1.4
-    - cryptonite >=0.25
+    - crypton
     - errors
-    - hoauth2 >=1.11.0
+    - hoauth2 >=2.8.0 # TokenRequestError
     - http-client >=0.4.0
     - http-conduit >=2.0
     - http-types >=0.8
@@ -38,6 +38,7 @@ library:
     - mtl
     - safe-exceptions
     - text >=0.7
+    - transformers
     - uri-bytestring
     - yesod-auth >=1.6.0
     - yesod-core >=1.6.0
@@ -56,7 +57,7 @@ executables:
       - aeson >=0.6
       - aeson-pretty
       - bytestring >=0.9.1.4
-      - containers
+      - containers >=0.6.0.1
       - http-conduit >=2.0
       - load-env
       - text >=0.7

renovate.json

@@ -0,0 +1,7 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "local>freckle/renovate-config"
+  ],
+  "minimumReleaseAge": "0 days"
+}

src/Network/OAuth/OAuth2/Compat.hs

@@ -1,61 +1,118 @@
 {-# LANGUAGE CPP #-}
 
 module Network.OAuth.OAuth2.Compat
-    ( OAuth2(..)
-    , authorizationUrl
-    , fetchAccessToken
-    , fetchAccessToken2
-    , module Network.OAuth.OAuth2
-    ) where
+  ( OAuth2 (..)
+  , authorizationUrl
+  , fetchAccessTokenBasic
+  , fetchAccessTokenPost
+  , authGetBS
 
+    -- * Re-exports
+  , AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , TokenResponse
+  , accessToken
+  , refreshToken
+  , expiresIn
+  , tokenType
+  , idToken
+  , TokenResponseError
+  ) where
+
+import Control.Monad.IO.Class (MonadIO)
+import Control.Monad.Trans.Except (runExceptT)
+import Data.ByteString.Lazy (ByteString)
+import Data.Text (Text)
 import Network.HTTP.Conduit (Manager)
-import Network.OAuth.OAuth2 hiding
-    (OAuth2(..), authorizationUrl, fetchAccessToken, fetchAccessToken2)
-import qualified Network.OAuth.OAuth2 as OAuth2
-import Network.OAuth.OAuth2.TokenRequest (Errors)
 import URI.ByteString
 
-#if MIN_VERSION_hoauth2(2,0,0)
-import Network.OAuth.OAuth2 (OAuth2(..))
+#if MIN_VERSION_hoauth2(2,15,0)
+import Network.OAuth2
+  ( AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , TokenResponse (..)
+  , TokenResponseError
+  )
+import qualified Network.OAuth2 as OAuth2
 
-getOAuth2 :: OAuth2 -> OAuth2
-getOAuth2 = id
+#elif MIN_VERSION_hoauth2(2,9,0)
+import Network.OAuth.OAuth2
+  ( AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , OAuth2Token (..)
+  , TokenResponseError
+  )
+import qualified Network.OAuth.OAuth2 as OAuth2
+
+type TokenResponse = OAuth2Token
 
 #else
-import Data.Text (Text)
+-- hoauth2-2.8
+import Network.OAuth.OAuth2
+  ( AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , OAuth2Token (..)
+  )
+import Network.OAuth.OAuth2.TokenRequest (TokenRequestError)
+import qualified Network.OAuth.OAuth2 as OAuth2
+
+type TokenResponse = OAuth2Token
+type TokenResponseError = TokenRequestError
+#endif
 
 data OAuth2 = OAuth2
-    { oauth2ClientId :: Text
-    , oauth2ClientSecret :: Maybe Text
-    , oauth2AuthorizeEndpoint :: URIRef Absolute
-    , oauth2TokenEndpoint :: URIRef Absolute
-    , oauth2RedirectUri :: Maybe (URIRef Absolute)
-    }
-
-getOAuth2 :: OAuth2 -> OAuth2.OAuth2
-getOAuth2 o = OAuth2.OAuth2
-    { OAuth2.oauthClientId = oauth2ClientId o
-    , OAuth2.oauthClientSecret = oauth2ClientSecret o
-    , OAuth2.oauthOAuthorizeEndpoint = oauth2AuthorizeEndpoint o
-    , OAuth2.oauthAccessTokenEndpoint = oauth2TokenEndpoint o
-    , OAuth2.oauthCallback = oauth2RedirectUri o
-    }
-
-#endif
+  { oauth2ClientId :: Text
+  , oauth2ClientSecret :: Text
+  , oauth2AuthorizeEndpoint :: URIRef Absolute
+  , oauth2TokenEndpoint :: URIRef Absolute
+  , oauth2RedirectUri :: Maybe (URIRef Absolute)
+  }
 
 authorizationUrl :: OAuth2 -> URI
 authorizationUrl = OAuth2.authorizationUrl . getOAuth2
 
-fetchAccessToken
-    :: Manager
-    -> OAuth2
-    -> ExchangeToken
-    -> IO (OAuth2Result Errors OAuth2Token)
-fetchAccessToken m = OAuth2.fetchAccessToken m . getOAuth2
+fetchAccessTokenBasic
+  :: Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> IO (Either TokenResponseError TokenResponse)
+fetchAccessTokenBasic =
+  runFetchAccessToken OAuth2.ClientSecretBasic
 
-fetchAccessToken2
-    :: Manager
-    -> OAuth2
-    -> ExchangeToken
-    -> IO (OAuth2Result Errors OAuth2Token)
-fetchAccessToken2 m = OAuth2.fetchAccessToken2 m . getOAuth2
+fetchAccessTokenPost
+  :: Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> IO (Either TokenResponseError TokenResponse)
+fetchAccessTokenPost =
+  runFetchAccessToken OAuth2.ClientSecretPost
+
+authGetBS :: Manager -> AccessToken -> URI -> IO (Either ByteString ByteString)
+authGetBS m a u = runExceptT $ OAuth2.authGetBS m a u
+
+getOAuth2 :: OAuth2 -> OAuth2.OAuth2
+getOAuth2 o =
+  OAuth2.OAuth2
+    { OAuth2.oauth2ClientId = oauth2ClientId o
+    , OAuth2.oauth2ClientSecret = oauth2ClientSecret o
+    , OAuth2.oauth2AuthorizeEndpoint = oauth2AuthorizeEndpoint o
+    , OAuth2.oauth2TokenEndpoint = oauth2TokenEndpoint o
+    , OAuth2.oauth2RedirectUri = case oauth2RedirectUri o of
+        Nothing ->
+          error
+            "programmer error: yesod-auth-oauth2:OAuth2 must have a Just value set as oauth2RedirectUri before using as an hauth2:OAuth2 value"
+        Just uri -> uri
+    }
+
+runFetchAccessToken
+  :: MonadIO m
+  => OAuth2.ClientAuthenticationMethod
+  -> Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> m (Either TokenResponseError TokenResponse)
+runFetchAccessToken am m o e = runExceptT $ OAuth2.fetchAccessTokenWithAuthMethod am m (getOAuth2 o) e

src/URI/ByteString/Extension.hs

@@ -1,9 +1,10 @@
 {-# LANGUAGE FlexibleInstances #-}
 {-# OPTIONS_GHC -fno-warn-orphans #-}
+
 module URI.ByteString.Extension where
 
 import Data.ByteString (ByteString)
-import Data.String (IsString(..))
+import Data.String (IsString (..))
 import Data.Text (Text)
 import Data.Text.Encoding (decodeUtf8, encodeUtf8)
 import Lens.Micro
@@ -13,30 +14,26 @@ import qualified Data.ByteString.Char8 as C8
 import URI.ByteString
 
 instance IsString Scheme where
-    fromString = Scheme . fromString
+  fromString = Scheme . fromString
 
 instance IsString Host where
-    fromString = Host . fromString
+  fromString = Host . fromString
 
 instance IsString (URIRef Absolute) where
-    fromString = either (error . show) id
-        . parseURI strictURIParserOptions
-        . C8.pack
+  fromString =
+    either (error . show) id . parseURI strictURIParserOptions . C8.pack
 
 instance IsString (URIRef Relative) where
-    fromString = either (error . show) id
-        . parseRelativeRef strictURIParserOptions
-        . C8.pack
+  fromString =
+    either (error . show) id . parseRelativeRef strictURIParserOptions . C8.pack
 
 fromText :: Text -> Maybe URI
-fromText = either (const Nothing) Just
-    . parseURI strictURIParserOptions
-    . encodeUtf8
+fromText =
+  either (const Nothing) Just . parseURI strictURIParserOptions . encodeUtf8
 
 unsafeFromText :: Text -> URI
-unsafeFromText = either (error . show) id
-    . parseURI strictURIParserOptions
-    . encodeUtf8
+unsafeFromText =
+  either (error . show) id . parseURI strictURIParserOptions . encodeUtf8
 
 toText :: URI -> Text
 toText = decodeUtf8 . serializeURIRef'
@@ -45,9 +42,12 @@ fromRelative :: Scheme -> Host -> RelativeRef -> URI
 fromRelative s h = flip withHost h . toAbsolute s
 
 withHost :: URIRef a -> Host -> URIRef a
-withHost u h = u & authorityL %~ maybe
-    (Just $ Authority Nothing h Nothing)
-    (\a -> Just $ a & authorityHostL .~ h)
+withHost u h =
+  u
+    & authorityL
+      %~ maybe
+        (Just $ Authority Nothing h Nothing)
+        (\a -> Just $ a & authorityHostL .~ h)
 
 withPath :: URIRef a -> ByteString -> URIRef a
 withPath u p = u & pathL .~ p

src/UnliftIO/Except.hs

@@ -1,12 +1,12 @@
 {-# OPTIONS_GHC -Wno-orphans #-}
 
-module UnliftIO.Except
-    () where
+module UnliftIO.Except () where
 
-import Control.Monad.Except
+import Control.Monad ((<=<))
+import Control.Monad.Except (ExceptT (..), runExceptT)
 import UnliftIO
 
 instance (MonadUnliftIO m, Exception e) => MonadUnliftIO (ExceptT e m) where
-    withRunInIO exceptToIO = ExceptT $ try $ do
-        withRunInIO $ \runInIO ->
-            exceptToIO (runInIO . (either throwIO pure <=< runExceptT))
+  withRunInIO exceptToIO = ExceptT $ try $ do
+    withRunInIO $ \runInIO ->
+      exceptToIO (runInIO . (either throwIO pure <=< runExceptT))

src/Yesod/Auth/OAuth2.hs

@@ -1,23 +1,23 @@
 {-# LANGUAGE FlexibleContexts #-}
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE QuasiQuotes #-}
+
 -- |
 --
 -- Generic OAuth2 plugin for Yesod
 --
 -- See @"Yesod.Auth.OAuth2.GitHub"@ for example usage.
---
 module Yesod.Auth.OAuth2
-  ( OAuth2(..)
+  ( OAuth2 (..)
   , FetchCreds
   , Manager
-  , OAuth2Token(..)
-  , Creds(..)
+  , TokenResponse
+  , Creds (..)
   , oauth2Url
   , authOAuth2
   , authOAuth2Widget
 
-    -- * Alternatives that use 'fetchAccessToken2'
+    -- * Alternatives that use 'fetchAccessTokenPost'
   , authOAuth2'
   , authOAuth2Widget'
 
@@ -46,14 +46,12 @@ oauth2Url name = PluginR name ["forward"]
 -- | Create an @'AuthPlugin'@ for the given OAuth2 provider
 --
 -- Presents a generic @"Login via #{name}"@ link
---
 authOAuth2 :: YesodAuth m => Text -> OAuth2 -> FetchCreds m -> AuthPlugin m
 authOAuth2 name = authOAuth2Widget [whamlet|Login via #{name}|] name
 
--- | A version of 'authOAuth2' that uses 'fetchAccessToken2'
+-- | A version of 'authOAuth2' that uses 'fetchAccessTokenPost'
 --
 -- See <https://github.com/thoughtbot/yesod-auth-oauth2/pull/129>
---
 authOAuth2' :: YesodAuth m => Text -> OAuth2 -> FetchCreds m -> AuthPlugin m
 authOAuth2' name = authOAuth2Widget' [whamlet|Login via #{name}|] name
 
@@ -61,7 +59,6 @@ authOAuth2' name = authOAuth2Widget' [whamlet|Login via #{name}|] name
 --
 -- Allows passing a custom widget for the login link. See @'oauth2Eve'@ for an
 -- example.
---
 authOAuth2Widget
   :: YesodAuth m
   => WidgetFor m ()
@@ -69,12 +66,11 @@ authOAuth2Widget
   -> OAuth2
   -> FetchCreds m
   -> AuthPlugin m
-authOAuth2Widget = buildPlugin fetchAccessToken
+authOAuth2Widget = buildPlugin fetchAccessTokenBasic
 
--- | A version of 'authOAuth2Widget' that uses 'fetchAccessToken2'
+-- | A version of 'authOAuth2Widget' that uses 'fetchAccessTokenPost'
 --
 -- See <https://github.com/thoughtbot/yesod-auth-oauth2/pull/129>
---
 authOAuth2Widget'
   :: YesodAuth m
   => WidgetFor m ()
@@ -82,7 +78,7 @@ authOAuth2Widget'
   -> OAuth2
   -> FetchCreds m
   -> AuthPlugin m
-authOAuth2Widget' = buildPlugin fetchAccessToken2
+authOAuth2Widget' = buildPlugin fetchAccessTokenPost
 
 buildPlugin
   :: YesodAuth m
@@ -92,11 +88,13 @@ buildPlugin
   -> OAuth2
   -> FetchCreds m
   -> AuthPlugin m
-buildPlugin getToken widget name oauth getCreds = AuthPlugin
-  name
-  (dispatchAuthRequest name oauth getToken getCreds)
-  login
-  where login tm = [whamlet|<a href=@{tm $ oauth2Url name}>^{widget}|]
+buildPlugin getToken widget name oauth getCreds =
+  AuthPlugin
+    name
+    (dispatchAuthRequest name oauth getToken getCreds)
+    login
+ where
+  login tm = [whamlet|<a href=@{tm $ oauth2Url name}>^{widget}|]
 
 -- | Read the @'AccessToken'@ from the values set via @'setExtra'@
 getAccessToken :: Creds m -> Maybe AccessToken
@@ -105,7 +103,6 @@ getAccessToken = (AccessToken <$>) . lookup "accessToken" . credsExtra
 -- | Read the @'RefreshToken'@ from the values set via @'setExtra'@
 --
 -- N.B. not all providers supply this value.
---
 getRefreshToken :: Creds m -> Maybe RefreshToken
 getRefreshToken = (RefreshToken <$>) . lookup "refreshToken" . credsExtra
 

src/Yesod/Auth/OAuth2/Auth0.hs

@@ -0,0 +1,60 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+-- |
+-- OAuth2 plugin for <https://auth0.com>
+--
+-- * Authenticates against specific auth0 tenant
+-- * Uses Auth0 user id (a.k.a [sub](https://auth0.com/docs/api/authentication#get-user-info)) as credentials identifier
+module Yesod.Auth.OAuth2.Auth0
+  ( oauth2Auth0HostScopes
+  , oauth2Auth0Host
+  , defaultAuth0Scopes
+  ) where
+
+import Data.Aeson as Aeson
+import qualified Data.Text as T
+import Yesod.Auth.OAuth2.Prelude
+import Prelude
+
+-- | https://auth0.com/docs/api/authentication#get-user-info
+newtype User = User T.Text
+
+instance FromJSON User where
+  parseJSON = withObject "User" $ \o -> User <$> o .: "sub"
+
+-- | https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes#standard-claims
+defaultAuth0Scopes :: [Text]
+defaultAuth0Scopes = ["openid"]
+
+pluginName :: Text
+pluginName = "auth0"
+
+oauth2Auth0Host :: YesodAuth m => URI -> Text -> Text -> AuthPlugin m
+oauth2Auth0Host host = oauth2Auth0HostScopes host defaultAuth0Scopes
+
+oauth2Auth0HostScopes
+  :: YesodAuth m => URI -> [Text] -> Text -> Text -> AuthPlugin m
+oauth2Auth0HostScopes host scopes clientId clientSecret =
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User uid, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        (host `withPath` "/userinfo")
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = uid
+        , credsExtra = setExtra token userResponse
+        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          host `withPath` "/authorize" `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = host `withPath` "/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/AzureAD.hs

@@ -1,18 +1,18 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 --
 -- OAuth2 plugin for Azure AD.
 --
 -- * Authenticates against Azure AD
 -- * Uses email as credentials identifier
---
 module Yesod.Auth.OAuth2.AzureAD
   ( oauth2AzureAD
   , oauth2AzureADScoped
   ) where
 
-import Prelude
 import Yesod.Auth.OAuth2.Prelude
+import Prelude
 
 newtype User = User Text
 
@@ -31,25 +31,29 @@ oauth2AzureAD = oauth2AzureADScoped defaultScopes
 oauth2AzureADScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
 oauth2AzureADScoped scopes clientId clientSecret =
   authOAuth2 pluginName oauth2 $ \manager token -> do
-    (User userId, userResponse) <- authGetProfile
-      pluginName
-      manager
-      token
-      "https://graph.microsoft.com/v1.0/me"
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://graph.microsoft.com/v1.0/me"
 
-    pure Creds { credsPlugin = pluginName
-               , credsIdent  = userId
-               , credsExtra  = setExtra token userResponse
-               }
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint =
-      "https://login.windows.net/common/oauth2/authorize"
-        `withQuery` [ scopeParam "," scopes
-                    , ("resource", "https://graph.microsoft.com")
-                    ]
-    , oauth2TokenEndpoint     = "https://login.windows.net/common/oauth2/token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://login.windows.net/common/oauth2/authorize"
+            `withQuery` [ scopeParam "," scopes
+                        , ("resource", "https://graph.microsoft.com")
+                        ]
+      , oauth2TokenEndpoint = "https://login.windows.net/common/oauth2/token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/AzureADv2.hs

@@ -0,0 +1,104 @@
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE QuasiQuotes #-}
+
+-- |
+--
+-- OAuth2 plugin for Azure AD using the new v2 endpoints.
+--
+-- * Authenticates against Azure AD
+-- * Uses email as credentials identifier
+module Yesod.Auth.OAuth2.AzureADv2
+  ( oauth2AzureADv2
+  , oauth2AzureADv2Scoped
+  , oauth2AzureADv2Widget
+  , oauth2AzureADv2ScopedWidget
+  ) where
+
+import Yesod.Auth.OAuth2.Prelude
+import Yesod.Core (WidgetFor, whamlet)
+import Prelude
+
+import Data.String
+import Data.Text (unpack)
+
+newtype User = User Text
+
+instance FromJSON User where
+  parseJSON = withObject "User" $ \o -> User <$> o .: "mail"
+
+pluginName :: Text
+pluginName = "azureadv2"
+
+defaultScopes :: [Text]
+defaultScopes = ["openid", "profile"]
+
+oauth2AzureADv2
+  :: YesodAuth m
+  => Text
+  -- ^ Tenant Id
+  --
+  -- If using a multi-tenant App, @common@ can be given here.
+  -> Text
+  -- ^ Client Id
+  -> Text
+  -- ^ Client secret
+  -> AuthPlugin m
+oauth2AzureADv2 = oauth2AzureADv2Scoped defaultScopes
+
+oauth2AzureADv2Widget
+  :: YesodAuth m => WidgetFor m () -> Text -> Text -> Text -> AuthPlugin m
+oauth2AzureADv2Widget widget =
+  oauth2AzureADv2ScopedWidget widget defaultScopes
+
+oauth2AzureADv2Scoped
+  :: YesodAuth m => [Text] -> Text -> Text -> Text -> AuthPlugin m
+oauth2AzureADv2Scoped =
+  oauth2AzureADv2ScopedWidget [whamlet|Login via #{pluginName}|]
+
+oauth2AzureADv2ScopedWidget
+  :: YesodAuth m
+  => WidgetFor m ()
+  -- ^ Widget
+  -> [Text]
+  -- ^ Scopes
+  -> Text
+  -- ^ Tenant Id
+  --
+  -- If using a multi-tenant App, @common@ can be given here.
+  -> Text
+  -- ^ Client Id
+  -> Text
+  -- ^ Client Secret
+  -> AuthPlugin m
+oauth2AzureADv2ScopedWidget widget scopes tenantId clientId clientSecret =
+  authOAuth2Widget widget pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://graph.microsoft.com/v1.0/me"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
+        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          tenantUrl "/authorize" `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = tenantUrl "/token"
+      , oauth2RedirectUri = Nothing
+      }
+
+  tenantUrl path =
+    fromString $
+      "https://login.microsoftonline.com/"
+        <> unpack tenantId
+        <> "/oauth2/v2.0"
+        <> path

src/Yesod/Auth/OAuth2/BattleNet.hs

@@ -7,7 +7,6 @@
 -- * Authenticates against battle.net.
 -- * Uses user's id as credentials identifier.
 -- * Returns user's battletag in extras.
---
 module Yesod.Auth.OAuth2.BattleNet
   ( oauth2BattleNet
   , oAuth2BattleNet
@@ -28,38 +27,44 @@ pluginName = "battle.net"
 
 oauth2BattleNet
   :: YesodAuth m
-  => WidgetFor m () -- ^ Login widget
-  -> Text -- ^ User region (e.g. "eu", "cn", "us")
-  -> Text -- ^ Client ID
-  -> Text -- ^ Client Secret
+  => WidgetFor m ()
+  -- ^ Login widget
+  -> Text
+  -- ^ User region (e.g. "eu", "cn", "us")
+  -> Text
+  -- ^ Client ID
+  -> Text
+  -- ^ Client Secret
   -> AuthPlugin m
 oauth2BattleNet widget region clientId clientSecret =
   authOAuth2Widget widget pluginName oauth2 $ \manager token -> do
     (User userId, userResponse) <-
-      authGetProfile pluginName manager token
-        $ fromRelative "https" (apiHost $ T.toLower region) "/account/user"
+      authGetProfile pluginName manager token $
+        fromRelative "https" (apiHost $ T.toLower region) "/account/user"
 
-    pure Creds { credsPlugin = pluginName
-               , credsIdent  = T.pack $ show userId
-               , credsExtra  = setExtra token userResponse
-               }
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  host   = wwwHost $ T.toLower region
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = fromRelative "https" host "/oauth/authorize"
-    , oauth2TokenEndpoint     = fromRelative "https" host "/oauth/token"
-    , oauth2RedirectUri       = Nothing
-    }
-
+  host = wwwHost $ T.toLower region
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint = fromRelative "https" host "/oauth/authorize"
+      , oauth2TokenEndpoint = fromRelative "https" host "/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }
 
 apiHost :: Text -> Host
-apiHost "cn"   = "api.battlenet.com.cn"
+apiHost "cn" = "api.battlenet.com.cn"
 apiHost region = Host $ encodeUtf8 $ region <> ".api.battle.net"
 
 wwwHost :: Text -> Host
-wwwHost "cn"   = "www.battlenet.com.cn"
+wwwHost "cn" = "www.battlenet.com.cn"
 wwwHost region = Host $ encodeUtf8 $ region <> ".battle.net"
 
 oAuth2BattleNet

src/Yesod/Auth/OAuth2/Bitbucket.hs

@@ -1,11 +1,11 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 --
 -- OAuth2 plugin for http://bitbucket.com
 --
 -- * Authenticates against bitbucket
 -- * Uses bitbucket uuid as credentials identifier
---
 module Yesod.Auth.OAuth2.Bitbucket
   ( oauth2Bitbucket
   , oauth2BitbucketScoped
@@ -32,28 +32,33 @@ oauth2Bitbucket = oauth2BitbucketScoped defaultScopes
 oauth2BitbucketScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
 oauth2BitbucketScoped scopes clientId clientSecret =
   authOAuth2 pluginName oauth2 $ \manager token -> do
-    (User userId, userResponse) <- authGetProfile
-      pluginName
-      manager
-      token
-      "https://api.bitbucket.com/2.0/user"
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://api.bitbucket.com/2.0/user"
 
-    pure Creds { credsPlugin = pluginName
-        -- FIXME: Preserved bug. This should just be userId (it's already
-        -- a Text), but because this code was shipped, folks likely have
-        -- Idents in their database like @"\"...\""@, and if we fixed this
-        -- they would need migrating. We're keeping it for now as it's a
-        -- minor wart. Breaking typed APIs is one thing, causing data to go
-        -- invalid is another.
-               , credsIdent  = T.pack $ show userId
-               , credsExtra  = setExtra token userResponse
-               }
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , -- FIXME: Preserved bug. This should just be userId (it's already
+          -- a Text), but because this code was shipped, folks likely have
+          -- Idents in their database like @"\"...\""@, and if we fixed this
+          -- they would need migrating. We're keeping it for now as it's a
+          -- minor wart. Breaking typed APIs is one thing, causing data to go
+          -- invalid is another.
+          credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = "https://bitbucket.com/site/oauth2/authorize"
-                                  `withQuery` [scopeParam "," scopes]
-    , oauth2TokenEndpoint     = "https://bitbucket.com/site/oauth2/access_token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://bitbucket.com/site/oauth2/authorize"
+            `withQuery` [scopeParam "," scopes]
+      , oauth2TokenEndpoint = "https://bitbucket.com/site/oauth2/access_token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/ClassLink.hs

@@ -26,22 +26,27 @@ oauth2ClassLink = oauth2ClassLinkScoped defaultScopes
 oauth2ClassLinkScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
 oauth2ClassLinkScoped scopes clientId clientSecret =
   authOAuth2 pluginName oauth2 $ \manager token -> do
-    (User userId, userResponse) <- authGetProfile
-      pluginName
-      manager
-      token
-      "https://nodeapi.classlink.com/v2/my/info"
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://nodeapi.classlink.com/v2/my/info"
 
-    pure Creds { credsPlugin = pluginName
-               , credsIdent  = T.pack $ show userId
-               , credsExtra  = setExtra token userResponse
-               }
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = "https://launchpad.classlink.com/oauth2/v2/auth"
-                                  `withQuery` [scopeParam "," scopes]
-    , oauth2TokenEndpoint = "https://launchpad.classlink.com/oauth2/v2/token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://launchpad.classlink.com/oauth2/v2/auth"
+            `withQuery` [scopeParam "," scopes]
+      , oauth2TokenEndpoint = "https://launchpad.classlink.com/oauth2/v2/token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/Dispatch.hs

@@ -6,19 +6,19 @@
 
 module Yesod.Auth.OAuth2.Dispatch
   ( FetchToken
-  , fetchAccessToken
-  , fetchAccessToken2
+  , fetchAccessTokenBasic
+  , fetchAccessTokenPost
   , FetchCreds
   , dispatchAuthRequest
   ) where
 
-import Control.Monad.Except
+import Control.Monad (unless)
+import Control.Monad.Except (MonadError (..))
 import Data.Text (Text)
 import qualified Data.Text as T
 import Data.Text.Encoding (encodeUtf8)
 import Network.HTTP.Conduit (Manager)
 import Network.OAuth.OAuth2.Compat
-import Network.OAuth.OAuth2.TokenRequest (Errors)
 import URI.ByteString.Extension
 import UnliftIO.Exception
 import Yesod.Auth hiding (ServerError)
@@ -30,21 +30,29 @@ import Yesod.Core hiding (ErrorResponse)
 -- | How to fetch an @'OAuth2Token'@
 --
 -- This will be 'fetchAccessToken' or 'fetchAccessToken2'
---
-type FetchToken
-  = Manager -> OAuth2 -> ExchangeToken -> IO (OAuth2Result Errors OAuth2Token)
+type FetchToken =
+  Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> IO (Either TokenResponseError TokenResponse)
 
 -- | How to take an @'OAuth2Token'@ and retrieve user credentials
-type FetchCreds m = Manager -> OAuth2Token -> IO (Creds m)
+type FetchCreds m = Manager -> TokenResponse -> IO (Creds m)
 
 -- | Dispatch the various OAuth2 handshake routes
 dispatchAuthRequest
-  :: Text             -- ^ Name
-  -> OAuth2           -- ^ Service details
-  -> FetchToken       -- ^ How to get a token
-  -> FetchCreds m     -- ^ How to get credentials
-  -> Text             -- ^ Method
-  -> [Text]           -- ^ Path pieces
+  :: Text
+  -- ^ Name
+  -> OAuth2
+  -- ^ Service details
+  -> FetchToken
+  -- ^ How to get a token
+  -> FetchCreds m
+  -- ^ How to get credentials
+  -> Text
+  -- ^ Method
+  -> [Text]
+  -- ^ Path pieces
   -> AuthHandler m TypedContent
 dispatchAuthRequest name oauth2 _ _ "GET" ["forward"] =
   handleDispatchError $ dispatchForward name oauth2
@@ -56,14 +64,13 @@ dispatchAuthRequest _ _ _ _ _ _ = notFound
 --
 -- 1. Set a random CSRF token in our session
 -- 2. Redirect to the Provider's authorization URL
---
 dispatchForward
   :: (MonadError DispatchError m, MonadAuthHandler site m)
   => Text
   -> OAuth2
   -> m TypedContent
 dispatchForward name oauth2 = do
-  csrf    <- setSessionCSRF $ tokenSessionKey name
+  csrf <- setSessionCSRF $ tokenSessionKey name
   oauth2' <- withCallbackAndState name oauth2 csrf
   redirect $ toText $ authorizationUrl oauth2'
 
@@ -72,7 +79,6 @@ dispatchForward name oauth2 = do
 -- 1. Verify the URL's CSRF token matches our session
 -- 2. Use the code parameter to fetch an AccessToken for the Provider
 -- 3. Use the AccessToken to construct a @'Creds'@ value for the Provider
---
 dispatchCallback
   :: (MonadError DispatchError m, MonadAuthHandler site m)
   => Text
@@ -82,16 +88,17 @@ dispatchCallback
   -> m TypedContent
 dispatchCallback name oauth2 getToken getCreds = do
   onErrorResponse $ throwError . OAuth2HandshakeError
-  csrf    <- verifySessionCSRF $ tokenSessionKey name
-  code    <- requireGetParam "code"
+  csrf <- verifySessionCSRF $ tokenSessionKey name
+  code <- requireGetParam "code"
   manager <- authHttpManager
   oauth2' <- withCallbackAndState name oauth2 csrf
-  token   <- either (throwError . OAuth2ResultError) pure
-    =<< liftIO (getToken manager oauth2' $ ExchangeToken code)
+  token <-
+    either (throwError . OAuth2ResultError) pure
+      =<< liftIO (getToken manager oauth2' $ ExchangeToken code)
   creds <-
     liftIO (getCreds manager token)
-    `catch` (throwError . FetchCredsIOException)
-    `catch` (throwError . FetchCredsYesodOAuth2Exception)
+      `catch` (throwError . FetchCredsIOException)
+      `catch` (throwError . FetchCredsYesodOAuth2Exception)
   setCredsRedirect creds
 
 withCallbackAndState
@@ -101,41 +108,47 @@ withCallbackAndState
   -> Text
   -> m OAuth2
 withCallbackAndState name oauth2 csrf = do
-  uri      <- ($ PluginR name ["callback"]) <$> getParentUrlRender
-  callback <- maybe (throwError $ InvalidCallbackUri uri) pure $ fromText uri
-  pure oauth2
-    { oauth2RedirectUri       = Just callback
-    , oauth2AuthorizeEndpoint = oauth2AuthorizeEndpoint oauth2
-                                  `withQuery` [("state", encodeUtf8 csrf)]
-    }
+  callback <- maybe defaultCallback pure $ oauth2RedirectUri oauth2
+  pure
+    oauth2
+      { oauth2RedirectUri = Just callback
+      , oauth2AuthorizeEndpoint =
+          oauth2AuthorizeEndpoint oauth2 `withQuery` [("state", encodeUtf8 csrf)]
+      }
+ where
+  defaultCallback = do
+    uri <- ($ PluginR name ["callback"]) <$> getParentUrlRender
+    maybe (throwError $ InvalidCallbackUri uri) pure $ fromText uri
 
 getParentUrlRender :: MonadHandler m => m (Route (SubHandlerSite m) -> Text)
 getParentUrlRender = (.) <$> getUrlRender <*> getRouteToParent
 
--- | Set a random, ~30-character value in the session
+-- | Set a random, ~64-byte value in the session
 --
 -- Some (but not all) providers decode a @+@ in the state token as a space when
 -- sending it back to us. We don't expect this and fail. And if we did code for
 -- it, we'd then fail on the providers that /don't/ do that.
 --
 -- Therefore, we just exclude @+@ in our tokens, which means this function may
--- return slightly less than 30 characters.
---
+-- return slightly fewer than 64 bytes.
 setSessionCSRF :: MonadHandler m => Text -> m Text
 setSessionCSRF sessionKey = do
   csrfToken <- liftIO randomToken
   csrfToken <$ setSession sessionKey csrfToken
-  where randomToken = T.filter (/= '+') <$> randomText 64
+ where
+  randomToken = T.filter (/= '+') <$> randomText 64
 
 -- | Verify the callback provided the same CSRF token as in our session
 verifySessionCSRF
   :: (MonadError DispatchError m, MonadHandler m) => Text -> m Text
 verifySessionCSRF sessionKey = do
-  token        <- requireGetParam "state"
+  token <- requireGetParam "state"
   sessionToken <- lookupSession sessionKey
   deleteSession sessionKey
-  token <$ unless (sessionToken == Just token)
-                  (throwError $ InvalidStateToken sessionToken token)
+  token
+    <$ unless
+      (sessionToken == Just token)
+      (throwError $ InvalidStateToken sessionToken token)
 
 requireGetParam
   :: (MonadError DispatchError m, MonadHandler m) => Text -> m Text

src/Yesod/Auth/OAuth2/DispatchError.hs

@@ -9,15 +9,14 @@
 {-# LANGUAGE TypeFamilies #-}
 
 module Yesod.Auth.OAuth2.DispatchError
-    ( DispatchError(..)
-    , handleDispatchError
-    , onDispatchError
-    ) where
+  ( DispatchError (..)
+  , handleDispatchError
+  , onDispatchError
+  ) where
 
 import Control.Monad.Except
 import Data.Text (Text, pack)
-import Network.OAuth.OAuth2
-import Network.OAuth.OAuth2.TokenRequest (Errors)
+import Network.OAuth.OAuth2.Compat (TokenResponseError)
 import UnliftIO.Except ()
 import UnliftIO.Exception
 import Yesod.Auth hiding (ServerError)
@@ -27,55 +26,55 @@ import Yesod.Auth.OAuth2.Random
 import Yesod.Core hiding (ErrorResponse)
 
 data DispatchError
-    = MissingParameter Text
-    | InvalidStateToken (Maybe Text) Text
-    | InvalidCallbackUri Text
-    | OAuth2HandshakeError ErrorResponse
-    | OAuth2ResultError (OAuth2Error Errors)
-    | FetchCredsIOException IOException
-    | FetchCredsYesodOAuth2Exception YesodOAuth2Exception
-    | OtherDispatchError Text
-    deriving stock Show
-    deriving anyclass Exception
+  = MissingParameter Text
+  | InvalidStateToken (Maybe Text) Text
+  | InvalidCallbackUri Text
+  | OAuth2HandshakeError ErrorResponse
+  | OAuth2ResultError TokenResponseError
+  | FetchCredsIOException IOException
+  | FetchCredsYesodOAuth2Exception YesodOAuth2Exception
+  | OtherDispatchError Text
+  deriving stock (Show)
+  deriving anyclass (Exception)
 
 -- | User-friendly message for any given 'DispatchError'
 --
 -- Most of these are opaque to the user. The exception details are present for
 -- the server logs.
---
 dispatchErrorMessage :: DispatchError -> Text
 dispatchErrorMessage = \case
-    MissingParameter name ->
-        "Parameter '" <> name <> "' is required, but not present in the URL"
-    InvalidStateToken{} -> "State token is invalid, please try again"
-    InvalidCallbackUri{}
-        -> "Callback URI was not valid, this server may be misconfigured (no approot)"
-    OAuth2HandshakeError er -> "OAuth2 handshake failure: " <> erUserMessage er
-    OAuth2ResultError{} -> "Login failed, please try again"
-    FetchCredsIOException{} -> "Login failed, please try again"
-    FetchCredsYesodOAuth2Exception{} -> "Login failed, please try again"
-    OtherDispatchError{} -> "Login failed, please try again"
+  MissingParameter name ->
+    "Parameter '" <> name <> "' is required, but not present in the URL"
+  InvalidStateToken {} -> "State token is invalid, please try again"
+  InvalidCallbackUri {} ->
+    "Callback URI was not valid, this server may be misconfigured (no approot)"
+  OAuth2HandshakeError er -> "OAuth2 handshake failure: " <> erUserMessage er
+  OAuth2ResultError {} -> "Login failed, please try again"
+  FetchCredsIOException {} -> "Login failed, please try again"
+  FetchCredsYesodOAuth2Exception {} -> "Login failed, please try again"
+  OtherDispatchError {} -> "Login failed, please try again"
 
 handleDispatchError
-    :: MonadAuthHandler site m
-    => ExceptT DispatchError m TypedContent
-    -> m TypedContent
+  :: MonadAuthHandler site m
+  => ExceptT DispatchError m TypedContent
+  -> m TypedContent
 handleDispatchError f = do
-    result <- runExceptT f
-    either onDispatchError pure result
+  result <- runExceptT f
+  either onDispatchError pure result
 
 onDispatchError :: MonadAuthHandler site m => DispatchError -> m TypedContent
 onDispatchError err = do
-    errorId <- liftIO $ randomText 16
-    let suffix = " [errorId=" <> errorId <> "]"
-    $(logError) $ pack (displayException err) <> suffix
+  errorId <- liftIO $ randomText 16
+  let suffix = " [errorId=" <> errorId <> "]"
+  $(logError) $ pack (displayException err) <> suffix
 
-    let message = dispatchErrorMessage err <> suffix
-        messageValue =
-            object ["error" .= object ["id" .= errorId, "message" .= message]]
+  let
+    message = dispatchErrorMessage err <> suffix
+    messageValue =
+      object ["error" .= object ["id" .= errorId, "message" .= message]]
 
-    loginR <- ($ LoginR) <$> getRouteToParent
+  loginR <- ($ LoginR) <$> getRouteToParent
 
-    selectRep $ do
-        provideRep @_ @Html $ onErrorHtml loginR message
-        provideRep @_ @Value $ pure messageValue
+  selectRep $ do
+    provideRep @_ @Html $ onErrorHtml loginR message
+    provideRep @_ @Value $ pure messageValue

src/Yesod/Auth/OAuth2/ErrorResponse.hs

@@ -1,16 +1,15 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- | OAuth callback error response
 --
 -- <https://tools.ietf.org/html/rfc6749#section-4.1.2.1>
---
 module Yesod.Auth.OAuth2.ErrorResponse
-    ( ErrorResponse(..)
-    , erUserMessage
-    , ErrorName(..)
-    , onErrorResponse
-    , unknownError
-    )
-where
+  ( ErrorResponse (..)
+  , erUserMessage
+  , ErrorName (..)
+  , onErrorResponse
+  , unknownError
+  ) where
 
 import Data.Foldable (traverse_)
 import Data.Text (Text)
@@ -18,58 +17,54 @@ import Data.Traversable (for)
 import Yesod.Core (MonadHandler, lookupGetParam)
 
 data ErrorName
-    = InvalidRequest
-    | UnauthorizedClient
-    | AccessDenied
-    | UnsupportedResponseType
-    | InvalidScope
-    | ServerError
-    | TemporarilyUnavailable
-    | Unknown Text
-    deriving Show
+  = InvalidRequest
+  | UnauthorizedClient
+  | AccessDenied
+  | UnsupportedResponseType
+  | InvalidScope
+  | ServerError
+  | TemporarilyUnavailable
+  | Unknown Text
+  deriving (Show)
 
 data ErrorResponse = ErrorResponse
-    { erName :: ErrorName
-    , erDescription :: Maybe Text
-    , erURI :: Maybe Text
-    }
-    deriving Show
+  { erName :: ErrorName
+  , erDescription :: Maybe Text
+  , erURI :: Maybe Text
+  }
+  deriving (Show)
 
 -- | Textual value suitable for display to a User
 erUserMessage :: ErrorResponse -> Text
 erUserMessage err = case erName err of
-    InvalidRequest -> "Invalid request"
-    UnauthorizedClient -> "Unauthorized client"
-    AccessDenied -> "Access denied"
-    UnsupportedResponseType -> "Unsupported response type"
-    InvalidScope -> "Invalid scope"
-    ServerError -> "Server error"
-    TemporarilyUnavailable -> "Temporarily unavailable"
-    Unknown _ -> "Unknown error"
+  InvalidRequest -> "Invalid request"
+  UnauthorizedClient -> "Unauthorized client"
+  AccessDenied -> "Access denied"
+  UnsupportedResponseType -> "Unsupported response type"
+  InvalidScope -> "Invalid scope"
+  ServerError -> "Server error"
+  TemporarilyUnavailable -> "Temporarily unavailable"
+  Unknown _ -> "Unknown error"
 
 unknownError :: Text -> ErrorResponse
-unknownError x = ErrorResponse
-    { erName = Unknown x
-    , erDescription = Nothing
-    , erURI = Nothing
-    }
+unknownError x =
+  ErrorResponse {erName = Unknown x, erDescription = Nothing, erURI = Nothing}
 
 -- | Check query parameters for an error, if found run the given action
 --
 -- The action is expected to use a short-circuit response function like
 -- @'permissionDenied'@, hence this returning @()@.
---
 onErrorResponse :: MonadHandler m => (ErrorResponse -> m a) -> m ()
 onErrorResponse f = traverse_ f =<< checkErrorResponse
 
 checkErrorResponse :: MonadHandler m => m (Maybe ErrorResponse)
 checkErrorResponse = do
-    merror <- lookupGetParam "error"
+  merror <- lookupGetParam "error"
 
-    for merror $ \err ->
-        ErrorResponse (readErrorName err)
-            <$> lookupGetParam "error_description"
-            <*> lookupGetParam "error_uri"
+  for merror $ \err ->
+    ErrorResponse (readErrorName err)
+      <$> lookupGetParam "error_description"
+      <*> lookupGetParam "error_uri"
 
 readErrorName :: Text -> ErrorName
 readErrorName "invalid_request" = InvalidRequest

src/Yesod/Auth/OAuth2/EveOnline.hs

@@ -1,16 +1,16 @@
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE QuasiQuotes #-}
+
 -- |
 --
 -- OAuth2 plugin for http://eveonline.com
 --
 -- * Authenticates against eveonline
 -- * Uses EVEs unique account-user-char-hash as credentials identifier
---
 module Yesod.Auth.OAuth2.EveOnline
   ( oauth2Eve
   , oauth2EveScoped
-  , WidgetType(..)
+  , WidgetType (..)
   ) where
 
 import Yesod.Auth.OAuth2.Prelude
@@ -24,23 +24,24 @@ instance FromJSON User where
   parseJSON = withObject "User" $ \o -> User <$> o .: "CharacterOwnerHash"
 
 data WidgetType m
-    = Plain -- ^ Simple "Login via eveonline" text
-    | BigWhite
-    | SmallWhite
-    | BigBlack
-    | SmallBlack
-    | Custom (WidgetFor m ())
+  = -- | Simple "Login via eveonline" text
+    Plain
+  | BigWhite
+  | SmallWhite
+  | BigBlack
+  | SmallBlack
+  | Custom (WidgetFor m ())
 
 asWidget :: YesodAuth m => WidgetType m -> WidgetFor m ()
 asWidget Plain = [whamlet|Login via eveonline|]
 asWidget BigWhite =
   [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/4PTzeiAshqiM8osU2giO0Y/5cc4cb60bac52422da2e45db87b6819c/EVE_SSO_Login_Buttons_Large_White.png?w=270&h=45">|]
-asWidget BigBlack
-  = [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/4fSjj56uD6CYwYyus4KmES/4f6385c91e6de56274d99496e6adebab/EVE_SSO_Login_Buttons_Large_Black.png?w=270&h=45">|]
-asWidget SmallWhite
-  = [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/18BxKSXCymyqY4QKo8KwKe/c2bdded6118472dd587c8107f24104d7/EVE_SSO_Login_Buttons_Small_White.png?w=195&h=30">|]
-asWidget SmallBlack
-  = [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/12vrPsIMBQi28QwCGOAqGk/33234da7672c6b0cdca394fc8e0b1c2b/EVE_SSO_Login_Buttons_Small_Black.png?w=195&h=30">|]
+asWidget BigBlack =
+  [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/4fSjj56uD6CYwYyus4KmES/4f6385c91e6de56274d99496e6adebab/EVE_SSO_Login_Buttons_Large_Black.png?w=270&h=45">|]
+asWidget SmallWhite =
+  [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/18BxKSXCymyqY4QKo8KwKe/c2bdded6118472dd587c8107f24104d7/EVE_SSO_Login_Buttons_Small_White.png?w=195&h=30">|]
+asWidget SmallBlack =
+  [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/12vrPsIMBQi28QwCGOAqGk/33234da7672c6b0cdca394fc8e0b1c2b/EVE_SSO_Login_Buttons_Small_Black.png?w=195&h=30">|]
 asWidget (Custom a) = a
 
 pluginName :: Text
@@ -57,25 +58,28 @@ oauth2EveScoped
 oauth2EveScoped scopes widgetType clientId clientSecret =
   authOAuth2Widget (asWidget widgetType) pluginName oauth2 $ \manager token ->
     do
-      (User userId, userResponse) <- authGetProfile
-        pluginName
-        manager
-        token
-        "https://login.eveonline.com/oauth/verify"
+      (User userId, userResponse) <-
+        authGetProfile
+          pluginName
+          manager
+          token
+          "https://login.eveonline.com/oauth/verify"
 
-      pure Creds { credsPlugin = "eveonline"
-          -- FIXME: Preserved bug. See similar comment in Bitbucket provider.
-                 , credsIdent  = T.pack $ show userId
-                 , credsExtra  = setExtra token userResponse
-                 }
+      pure
+        Creds
+          { credsPlugin = "eveonline"
+          , -- FIXME: Preserved bug. See similar comment in Bitbucket provider.
+            credsIdent = T.pack $ show userId
+          , credsExtra = setExtra token userResponse
+          }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = "https://login.eveonline.com/oauth/authorize"
-                                  `withQuery` [ ("response_type", "code")
-                                              , scopeParam " " scopes
-                                              ]
-    , oauth2TokenEndpoint     = "https://login.eveonline.com/oauth/token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://login.eveonline.com/oauth/authorize"
+            `withQuery` [("response_type", "code"), scopeParam " " scopes]
+      , oauth2TokenEndpoint = "https://login.eveonline.com/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/Exception.hs

@@ -1,29 +1,24 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-
 module Yesod.Auth.OAuth2.Exception
-    ( YesodOAuth2Exception(..)
-    ) where
+  ( YesodOAuth2Exception (..)
+  ) where
 
 import Control.Exception.Safe
 import Data.ByteString.Lazy (ByteString)
 import Data.Text (Text)
 
 data YesodOAuth2Exception
-    = OAuth2Error Text ByteString
-    -- ^ HTTP error during OAuth2 handshake
+  = -- | HTTP error during OAuth2 handshake
     --
     -- Plugin name and JSON-encoded @OAuth2Error@ from @hoauth2@.
-    --
-    | JSONDecodingError Text String
-    -- ^ User profile was not as expected
+    OAuth2Error Text ByteString
+  | -- | User profile was not as expected
     --
     -- Plugin name and Aeson parse error message.
-    --
-    | GenericError Text String
-    -- ^ Other error conditions
+    JSONDecodingError Text String
+  | -- | Other error conditions
     --
     -- Plugin name and error message.
-    --
-    deriving (Show, Typeable)
+    GenericError Text String
+  deriving (Show)
 
 instance Exception YesodOAuth2Exception

src/Yesod/Auth/OAuth2/GitHub.hs

@@ -1,19 +1,22 @@
 {-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE QuasiQuotes #-}
+
 -- |
 --
 -- OAuth2 plugin for http://github.com
 --
 -- * Authenticates against github
 -- * Uses github user id as credentials identifier
---
 module Yesod.Auth.OAuth2.GitHub
   ( oauth2GitHub
+  , oauth2GitHubWidget
   , oauth2GitHubScoped
+  , oauth2GitHubScopedWidget
   ) where
 
-import Yesod.Auth.OAuth2.Prelude
-
 import qualified Data.Text as T
+import Yesod.Auth.OAuth2.Prelude
+import Yesod.Core (WidgetFor, whamlet)
 
 newtype User = User Int
 
@@ -29,25 +32,39 @@ defaultScopes = ["user:email"]
 oauth2GitHub :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2GitHub = oauth2GitHubScoped defaultScopes
 
-oauth2GitHubScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
-oauth2GitHubScoped scopes clientId clientSecret =
-  authOAuth2 pluginName oauth2 $ \manager token -> do
-    (User userId, userResponse) <- authGetProfile
-      pluginName
-      manager
-      token
-      "https://api.github.com/user"
+oauth2GitHubWidget
+  :: YesodAuth m => WidgetFor m () -> Text -> Text -> AuthPlugin m
+oauth2GitHubWidget widget = oauth2GitHubScopedWidget widget defaultScopes
 
-    pure Creds { credsPlugin = pluginName
-               , credsIdent  = T.pack $ show userId
-               , credsExtra  = setExtra token userResponse
-               }
+oauth2GitHubScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
+oauth2GitHubScoped =
+  oauth2GitHubScopedWidget [whamlet|Login via #{pluginName}|]
+
+oauth2GitHubScopedWidget
+  :: YesodAuth m => WidgetFor m () -> [Text] -> Text -> Text -> AuthPlugin m
+oauth2GitHubScopedWidget widget scopes clientId clientSecret =
+  authOAuth2Widget widget pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://api.github.com/user"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = "https://github.com/login/oauth/authorize"
-                                  `withQuery` [scopeParam "," scopes]
-    , oauth2TokenEndpoint     = "https://github.com/login/oauth/access_token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://github.com/login/oauth/authorize"
+            `withQuery` [scopeParam "," scopes]
+      , oauth2TokenEndpoint = "https://github.com/login/oauth/access_token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/GitLab.hs

@@ -1,4 +1,5 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 module Yesod.Auth.OAuth2.GitLab
   ( oauth2GitLab
   , oauth2GitLabHostScopes
@@ -32,7 +33,6 @@ defaultScopes = ["read_user"]
 --
 -- > oauth2GitLabHostScopes defaultHost ["api", "read_user"]
 -- > oauth2GitLabHostScopes "https://gitlab.example.com" defaultScopes
---
 oauth2GitLab :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2GitLab = oauth2GitLabHostScopes defaultHost defaultScopes
 
@@ -43,17 +43,19 @@ oauth2GitLabHostScopes host scopes clientId clientSecret =
     (User userId, userResponse) <-
       authGetProfile pluginName manager token $ host `withPath` "/api/v4/user"
 
-    pure Creds { credsPlugin = pluginName
-               , credsIdent  = T.pack $ show userId
-               , credsExtra  = setExtra token userResponse
-               }
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = host
-                                `withPath`  "/oauth/authorize"
-                                `withQuery` [scopeParam " " scopes]
-    , oauth2TokenEndpoint     = host `withPath` "/oauth/token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          host `withPath` "/oauth/authorize" `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = host `withPath` "/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/Google.hs

@@ -1,5 +1,6 @@
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE QuasiQuotes #-}
+
 -- |
 --
 -- OAuth2 plugin for http://www.google.com
@@ -23,7 +24,6 @@
 -- >         updatedCreds = creds { credsIdent = email }
 -- >
 -- >     -- continue normally with updatedCreds
---
 module Yesod.Auth.OAuth2.Google
   ( oauth2Google
   , oauth2GoogleWidget
@@ -38,9 +38,9 @@ newtype User = User Text
 
 instance FromJSON User where
   parseJSON =
-    withObject "User" $ \o -> User
+    withObject "User" $ \o ->
       -- Required for data backwards-compatibility
-                                   <$> (("google-uid:" <>) <$> o .: "sub")
+      User . ("google-uid:" <>) <$> o .: "sub"
 
 pluginName :: Text
 pluginName = "google"
@@ -63,22 +63,27 @@ oauth2GoogleScopedWidget
   :: YesodAuth m => WidgetFor m () -> [Text] -> Text -> Text -> AuthPlugin m
 oauth2GoogleScopedWidget widget scopes clientId clientSecret =
   authOAuth2Widget widget pluginName oauth2 $ \manager token -> do
-    (User userId, userResponse) <- authGetProfile
-      pluginName
-      manager
-      token
-      "https://www.googleapis.com/oauth2/v3/userinfo"
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://www.googleapis.com/oauth2/v3/userinfo"
 
-    pure Creds { credsPlugin = pluginName
-               , credsIdent  = userId
-               , credsExtra  = setExtra token userResponse
-               }
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = "https://accounts.google.com/o/oauth2/auth"
-                                  `withQuery` [scopeParam " " scopes]
-    , oauth2TokenEndpoint     = "https://www.googleapis.com/oauth2/v3/token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://accounts.google.com/o/oauth2/auth"
+            `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = "https://www.googleapis.com/oauth2/v3/token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/Nylas.hs

@@ -26,41 +26,45 @@ defaultScopes = ["email"]
 oauth2Nylas :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2Nylas clientId clientSecret =
   authOAuth2 pluginName oauth $ \manager token -> do
-    req <- applyBasicAuth (encodeUtf8 $ atoken $ accessToken token) ""
-      <$> parseRequest "https://api.nylas.com/account"
+    req <-
+      applyBasicAuth (encodeUtf8 $ atoken $ accessToken token) ""
+        <$> parseRequest "https://api.nylas.com/account"
     resp <- httpLbs req manager
     let userResponse = responseBody resp
 
     -- FIXME: was this working? I'm 95% sure that the client will throw its
     -- own exception on unsuccessful status codes.
-    unless (HT.statusIsSuccessful $ responseStatus resp)
-      $  throwIO
-      $  YesodOAuth2Exception.GenericError pluginName
-      $  "Unsuccessful HTTP response: "
-      <> BL8.unpack userResponse
+    unless (HT.statusIsSuccessful $ responseStatus resp) $
+      throwIO $
+        YesodOAuth2Exception.GenericError pluginName $
+          "Unsuccessful HTTP response: "
+            <> BL8.unpack userResponse
 
     either
-        (throwIO . YesodOAuth2Exception.JSONDecodingError pluginName)
-        (\(User userId) -> pure Creds { credsPlugin = pluginName
-                                      , credsIdent = userId
-                                      , credsExtra = setExtra token userResponse
-                                      }
-        )
+      (throwIO . YesodOAuth2Exception.JSONDecodingError pluginName)
+      ( \(User userId) ->
+          pure
+            Creds
+              { credsPlugin = pluginName
+              , credsIdent = userId
+              , credsExtra = setExtra token userResponse
+              }
+      )
       $ eitherDecode userResponse
  where
-  oauth = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = "https://api.nylas.com/oauth/authorize"
-                                  `withQuery` [ ("response_type", "code")
-                                              , ( "client_id"
-                                                , encodeUtf8 clientId
-                                                )
-          -- N.B. The scopes delimeter is unknown/untested. Verify that before
-          -- extracting this to an argument and offering a Scoped function. In
-          -- its current state, it doesn't matter because it's only one scope.
-                                              , scopeParam "," defaultScopes
-                                              ]
-    , oauth2TokenEndpoint     = "https://api.nylas.com/oauth/token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://api.nylas.com/oauth/authorize"
+            `withQuery` [ ("response_type", "code")
+                        , ("client_id", encodeUtf8 clientId)
+                        , -- N.B. The scopes delimeter is unknown/untested. Verify that before
+                          -- extracting this to an argument and offering a Scoped function. In
+                          -- its current state, it doesn't matter because it's only one scope.
+                          scopeParam "," defaultScopes
+                        ]
+      , oauth2TokenEndpoint = "https://api.nylas.com/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/ORCID.hs

@@ -0,0 +1,50 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+module Yesod.Auth.OAuth2.ORCID
+  ( oauth2ORCID
+  ) where
+
+import qualified Data.Text as T
+import Yesod.Auth.OAuth2.Prelude
+
+pluginName :: Text
+pluginName = "orcid"
+
+newtype User = User Text
+
+instance FromJSON User where
+  parseJSON = withObject "User" $ \o -> User <$> o .: "sub"
+
+oauth2ORCID
+  :: YesodAuth m
+  => Text
+  -- ^ Client Id
+  -> Text
+  -- ^ Client Secret
+  -> AuthPlugin m
+oauth2ORCID clientId clientSecret =
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://orcid.org/oauth/userinfo"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://orcid.org/oauth/authorize"
+            `withQuery` [scopeParam " " ["openid"]]
+      , oauth2TokenEndpoint = "https://orcid.org/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/Prelude.hs

@@ -1,14 +1,12 @@
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE TupleSections #-}
+
 -- |
 --
 -- Modules and support functions required by most or all provider
 -- implementations. May also be useful for writing local providers.
---
 module Yesod.Auth.OAuth2.Prelude
-  (
-      -- * Provider helpers
-    authGetProfile
+  ( authGetProfile
   , scopeParam
   , setExtra
 
@@ -22,8 +20,8 @@ module Yesod.Auth.OAuth2.Prelude
   , (.:?)
   , (.=)
   , (<>)
-  , FromJSON(..)
-  , ToJSON(..)
+  , FromJSON (..)
+  , ToJSON (..)
   , eitherDecode
   , withObject
 
@@ -31,22 +29,27 @@ module Yesod.Auth.OAuth2.Prelude
   , throwIO
 
     -- * OAuth2
-  , OAuth2(..)
-  , OAuth2Token(..)
-  , AccessToken(..)
-  , RefreshToken(..)
+  , OAuth2 (..)
+  , TokenResponse
+  , accessToken
+  , refreshToken
+  , expiresIn
+  , tokenType
+  , idToken
+  , AccessToken (..)
+  , RefreshToken (..)
 
     -- * HTTP
   , Manager
 
     -- * Yesod
-  , YesodAuth(..)
-  , AuthPlugin(..)
-  , Creds(..)
+  , YesodAuth (..)
+  , AuthPlugin (..)
+  , Creds (..)
 
     -- * Bytestring URI types
   , URI
-  , Host(..)
+  , Host (..)
 
     -- * Bytestring URI extensions
   , module URI.ByteString.Extension
@@ -76,16 +79,15 @@ import qualified Yesod.Auth.OAuth2.Exception as YesodOAuth2Exception
 -- The response should be parsed only far enough to read the required
 -- @'credsIdent'@. Additional information should either be re-parsed by or
 -- fetched via additional requests by consumers.
---
 authGetProfile
   :: FromJSON a
   => Text
   -> Manager
-  -> OAuth2Token
+  -> TokenResponse
   -> URI
   -> IO (a, BL.ByteString)
 authGetProfile name manager token url = do
-  resp    <- fromAuthGet name =<< authGetBS manager (accessToken token) url
+  resp <- fromAuthGet name =<< authGetBS manager (accessToken token) url
   decoded <- fromAuthJSON name resp
   pure (decoded, resp)
 
@@ -103,7 +105,7 @@ fromAuthJSON name =
 
 -- | A tuple of @\"scope\"@ and the given scopes separated by a delimiter
 scopeParam :: Text -> [Text] -> (ByteString, ByteString)
-scopeParam d = ("scope", ) . encodeUtf8 . T.intercalate d
+scopeParam d = ("scope",) . encodeUtf8 . T.intercalate d
 
 -- brittany-disable-next-binding
 
@@ -117,10 +119,9 @@ scopeParam d = ("scope", ) . encodeUtf8 . T.intercalate d
 -- May set the following keys:
 --
 -- - @refreshToken@: if the provider supports refreshing the @accessToken@
---
-setExtra :: OAuth2Token -> BL.ByteString -> [(Text, Text)]
+setExtra :: TokenResponse -> BL.ByteString -> [(Text, Text)]
 setExtra token userResponse =
-    [ ("accessToken", atoken $ accessToken token)
-    , ("userResponse", decodeUtf8 $ BL.toStrict userResponse)
-    ]
-    <> maybe [] (pure . ("refreshToken", ) . rtoken) (refreshToken token)
+  [ ("accessToken", atoken $ accessToken token)
+  , ("userResponse", decodeUtf8 $ BL.toStrict userResponse)
+  ]
+    <> maybe [] (pure . ("refreshToken",) . rtoken) (refreshToken token)

src/Yesod/Auth/OAuth2/Random.hs

@@ -1,19 +1,19 @@
 {-# LANGUAGE TypeApplications #-}
 
 module Yesod.Auth.OAuth2.Random
-    ( randomText
-    ) where
+  ( randomText
+  ) where
 
 import Crypto.Random (MonadRandom, getRandomBytes)
-import Data.ByteArray.Encoding (Base(Base64), convertToBase)
+import Data.ByteArray.Encoding (Base (Base64), convertToBase)
 import Data.ByteString (ByteString)
 import Data.Text (Text)
 import Data.Text.Encoding (decodeUtf8)
 
 randomText
-    :: MonadRandom m
-    => Int
-    -- ^ Size in Bytes (note necessarily characters)
-    -> m Text
+  :: MonadRandom m
+  => Int
+  -- ^ Size in Bytes (not necessarily characters)
+  -> m Text
 randomText size =
-    decodeUtf8 . convertToBase @ByteString Base64 <$> getRandomBytes size
+  decodeUtf8 . convertToBase @ByteString Base64 <$> getRandomBytes size

src/Yesod/Auth/OAuth2/Salesforce.hs

@@ -1,11 +1,11 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 --
 -- OAuth2 plugin for http://login.salesforce.com
 --
 -- * Authenticates against Salesforce (or sandbox)
 -- * Uses Salesforce user id as credentials identifier
---
 module Yesod.Auth.OAuth2.Salesforce
   ( oauth2Salesforce
   , oauth2SalesforceScoped
@@ -30,46 +30,54 @@ oauth2Salesforce :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2Salesforce = oauth2SalesforceScoped defaultScopes
 
 oauth2SalesforceScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
-oauth2SalesforceScoped = salesforceHelper
-  pluginName
-  "https://login.salesforce.com/services/oauth2/userinfo"
-  "https://login.salesforce.com/services/oauth2/authorize"
-  "https://login.salesforce.com/services/oauth2/token"
+oauth2SalesforceScoped =
+  salesforceHelper
+    pluginName
+    "https://login.salesforce.com/services/oauth2/userinfo"
+    "https://login.salesforce.com/services/oauth2/authorize"
+    "https://login.salesforce.com/services/oauth2/token"
 
 oauth2SalesforceSandbox :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2SalesforceSandbox = oauth2SalesforceSandboxScoped defaultScopes
 
 oauth2SalesforceSandboxScoped
   :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
-oauth2SalesforceSandboxScoped = salesforceHelper
-  (pluginName <> "-sandbox")
-  "https://test.salesforce.com/services/oauth2/userinfo"
-  "https://test.salesforce.com/services/oauth2/authorize"
-  "https://test.salesforce.com/services/oauth2/token"
+oauth2SalesforceSandboxScoped =
+  salesforceHelper
+    (pluginName <> "-sandbox")
+    "https://test.salesforce.com/services/oauth2/userinfo"
+    "https://test.salesforce.com/services/oauth2/authorize"
+    "https://test.salesforce.com/services/oauth2/token"
 
 salesforceHelper
   :: YesodAuth m
   => Text
-  -> URI -- ^ User profile
-  -> URI -- ^ Authorize
-  -> URI -- ^ Token
+  -> URI
+  -- ^ User profile
+  -> URI
+  -- ^ Authorize
+  -> URI
+  -- ^ Token
   -> [Text]
   -> Text
   -> Text
   -> AuthPlugin m
-salesforceHelper name profileUri authorizeUri tokenUri scopes clientId clientSecret
-  = authOAuth2 name oauth2 $ \manager token -> do
+salesforceHelper name profileUri authorizeUri tokenUri scopes clientId clientSecret =
+  authOAuth2 name oauth2 $ \manager token -> do
     (User userId, userResponse) <- authGetProfile name manager token profileUri
 
-    pure Creds { credsPlugin = pluginName
-               , credsIdent  = userId
-               , credsExtra  = setExtra token userResponse
-               }
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = authorizeUri `withQuery` [scopeParam " " scopes]
-    , oauth2TokenEndpoint     = tokenUri
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint = authorizeUri `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = tokenUri
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/Slack.hs

@@ -1,12 +1,12 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 -- OAuth2 plugin for https://slack.com/
 --
 -- * Authenticates against slack
 -- * Uses slack user id as credentials identifier
---
 module Yesod.Auth.OAuth2.Slack
-  ( SlackScope(..)
+  ( SlackScope (..)
   , oauth2Slack
   , oauth2SlackScoped
   ) where
@@ -14,19 +14,23 @@ module Yesod.Auth.OAuth2.Slack
 import Yesod.Auth.OAuth2.Prelude
 
 import Network.HTTP.Client
-    (httpLbs, parseUrlThrow, responseBody, setQueryString)
+  ( httpLbs
+  , parseUrlThrow
+  , responseBody
+  , setQueryString
+  )
 import Yesod.Auth.OAuth2.Exception as YesodOAuth2Exception
 
 data SlackScope
-    = SlackBasicScope
-    | SlackEmailScope
-    | SlackTeamScope
-    | SlackAvatarScope
+  = SlackBasicScope
+  | SlackEmailScope
+  | SlackTeamScope
+  | SlackAvatarScope
 
 scopeText :: SlackScope -> Text
-scopeText SlackBasicScope  = "identity.basic"
-scopeText SlackEmailScope  = "identity.email"
-scopeText SlackTeamScope   = "identity.team"
+scopeText SlackBasicScope = "identity.basic"
+scopeText SlackEmailScope = "identity.email"
+scopeText SlackTeamScope = "identity.team"
 scopeText SlackAvatarScope = "identity.avatar"
 
 newtype User = User Text
@@ -50,26 +54,30 @@ oauth2SlackScoped
 oauth2SlackScoped scopes clientId clientSecret =
   authOAuth2 pluginName oauth2 $ \manager token -> do
     let param = encodeUtf8 $ atoken $ accessToken token
-    req <- setQueryString [("token", Just param)]
-      <$> parseUrlThrow "https://slack.com/api/users.identity"
+    req <-
+      setQueryString [("token", Just param)]
+        <$> parseUrlThrow "https://slack.com/api/users.identity"
     userResponse <- responseBody <$> httpLbs req manager
 
     either
-        (throwIO . YesodOAuth2Exception.JSONDecodingError pluginName)
-        (\(User userId) -> pure Creds { credsPlugin = pluginName
-                                      , credsIdent = userId
-                                      , credsExtra = setExtra token userResponse
-                                      }
-        )
+      (throwIO . YesodOAuth2Exception.JSONDecodingError pluginName)
+      ( \(User userId) ->
+          pure
+            Creds
+              { credsPlugin = pluginName
+              , credsIdent = userId
+              , credsExtra = setExtra token userResponse
+              }
+      )
       $ eitherDecode userResponse
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = "https://slack.com/oauth/authorize"
-                                  `withQuery` [ scopeParam ","
-                                                  $ map scopeText scopes
-                                              ]
-    , oauth2TokenEndpoint     = "https://slack.com/api/oauth.access"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://slack.com/oauth/authorize"
+            `withQuery` [scopeParam "," $ map scopeText scopes]
+      , oauth2TokenEndpoint = "https://slack.com/api/oauth.access"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/Spotify.hs

@@ -1,8 +1,8 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 --
 -- OAuth2 plugin for http://spotify.com
---
 module Yesod.Auth.OAuth2.Spotify
   ( oauth2Spotify
   ) where
@@ -20,22 +20,27 @@ pluginName = "spotify"
 oauth2Spotify :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
 oauth2Spotify scopes clientId clientSecret =
   authOAuth2 pluginName oauth2 $ \manager token -> do
-    (User userId, userResponse) <- authGetProfile
-      pluginName
-      manager
-      token
-      "https://api.spotify.com/v1/me"
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://api.spotify.com/v1/me"
 
-    pure Creds { credsPlugin = pluginName
-               , credsIdent  = userId
-               , credsExtra  = setExtra token userResponse
-               }
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = "https://accounts.spotify.com/authorize"
-                                  `withQuery` [scopeParam " " scopes]
-    , oauth2TokenEndpoint     = "https://accounts.spotify.com/api/token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://accounts.spotify.com/authorize"
+            `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = "https://accounts.spotify.com/api/token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/Twitch.hs

@@ -0,0 +1,62 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+-- |
+--
+-- OAuth2 plugin for http://twitch.tv
+--
+-- * Authenticates against twitch
+-- * Uses twitch user id as credentials identifier
+module Yesod.Auth.OAuth2.Twitch
+  ( oauth2Twitch
+  , oauth2TwitchScoped
+  ) where
+
+import Yesod.Auth.OAuth2.Prelude
+
+import qualified Data.Text.Encoding as T
+
+newtype User = User Text
+
+instance FromJSON User where
+  parseJSON = withObject "User" $ \o -> User <$> o .: "user_id"
+
+pluginName :: Text
+pluginName = "twitch"
+
+defaultScopes :: [Text]
+defaultScopes = ["user:read:email"]
+
+oauth2Twitch :: YesodAuth m => Text -> Text -> AuthPlugin m
+oauth2Twitch = oauth2TwitchScoped defaultScopes
+
+oauth2TwitchScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
+oauth2TwitchScoped scopes clientId clientSecret =
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://id.twitch.tv/oauth2/validate"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
+        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://id.twitch.tv/oauth2/authorize"
+            `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint =
+          "https://id.twitch.tv/oauth2/token"
+            `withQuery` [ ("client_id", T.encodeUtf8 clientId)
+                        , ("client_secret", T.encodeUtf8 clientSecret)
+                        ]
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/Upcase.hs

@@ -1,11 +1,11 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 --
 -- OAuth2 plugin for http://upcase.com
 --
 -- * Authenticates against upcase
 -- * Uses upcase user id as credentials identifier
---
 module Yesod.Auth.OAuth2.Upcase
   ( oauth2Upcase
   ) where
@@ -27,21 +27,25 @@ pluginName = "upcase"
 oauth2Upcase :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2Upcase clientId clientSecret =
   authOAuth2 pluginName oauth2 $ \manager token -> do
-    (User userId, userResponse) <- authGetProfile
-      pluginName
-      manager
-      token
-      "http://upcase.com/api/v1/me.json"
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "http://upcase.com/api/v1/me.json"
 
-    pure Creds { credsPlugin = pluginName
-               , credsIdent  = T.pack $ show userId
-               , credsExtra  = setExtra token userResponse
-               }
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint = "http://upcase.com/oauth/authorize"
-    , oauth2TokenEndpoint     = "http://upcase.com/oauth/token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint = "http://upcase.com/oauth/authorize"
+      , oauth2TokenEndpoint = "http://upcase.com/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }

src/Yesod/Auth/OAuth2/WordPressDotCom.hs

@@ -16,30 +16,35 @@ instance FromJSON WpUser where
   parseJSON = withObject "WpUser" $ \o -> WpUser <$> o .: "ID"
 
 oauth2WordPressDotCom
-  :: (YesodAuth m)
-  => Text -- ^ Client Id
-  -> Text -- ^ Client Secret
+  :: YesodAuth m
+  => Text
+  -- ^ Client Id
+  -> Text
+  -- ^ Client Secret
   -> AuthPlugin m
 oauth2WordPressDotCom clientId clientSecret =
   authOAuth2 pluginName oauth2 $ \manager token -> do
-    (WpUser userId, userResponse) <- authGetProfile
-      pluginName
-      manager
-      token
-      "https://public-api.wordpress.com/rest/v1/me/"
-
-    pure Creds { credsPlugin = pluginName
-               , credsIdent  = T.pack $ show userId
-               , credsExtra  = setExtra token userResponse
-               }
+    (WpUser userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://public-api.wordpress.com/rest/v1/me/"
 
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
  where
-  oauth2 = OAuth2
-    { oauth2ClientId          = clientId
-    , oauth2ClientSecret      = Just clientSecret
-    , oauth2AuthorizeEndpoint =
-      "https://public-api.wordpress.com/oauth2/authorize"
-        `withQuery` [scopeParam "," ["auth"]]
-    , oauth2TokenEndpoint     = "https://public-api.wordpress.com/oauth2/token"
-    , oauth2RedirectUri       = Nothing
-    }
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://public-api.wordpress.com/oauth2/authorize"
+            `withQuery` [scopeParam "," ["auth"]]
+      , oauth2TokenEndpoint = "https://public-api.wordpress.com/oauth2/token"
+      , oauth2RedirectUri = Nothing
+      }

stack-hoauth2-2.0.yaml

@@ -1,3 +0,0 @@
-resolver: lts-18.23
-extra-deps:
-  - hoauth2-2.0.0@sha256:4686d776272d4c57d3c8dbeb9e58b04afe4d2b410382011bd78a3d2bfb08a3fe,5662

stack-hoauth2-2.0.yaml.lock

@@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: hoauth2-2.0.0@sha256:4686d776272d4c57d3c8dbeb9e58b04afe4d2b410382011bd78a3d2bfb08a3fe,5662
-    pantry-tree:
-      size: 2171
-      sha256: 291b3dd90854ef44f270519ec17e34b6778f8430f6d6517bd67b0128bd549553
-  original:
-    hackage: hoauth2-2.0.0@sha256:4686d776272d4c57d3c8dbeb9e58b04afe4d2b410382011bd78a3d2bfb08a3fe,5662
-snapshots:
-- completed:
-    size: 587819
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/18/23.yaml
-    sha256: 7f69bb29a57495586e7e3ed31ecc59c0d2c959cb23bd52b71ca676f254c9beb1
-  original: lts-18.23

stack-lts-13.2.yaml

@@ -1,11 +0,0 @@
----
-resolver: lts-13.2
-
-extra-deps:
-  - hoauth2-1.14.0@sha256:fcb4284fc78950c91d5b548317c51bd99a5ced84f4bb9e6153624b5783e4215f,5628
-
-# Fix for weeder with stack-2
-ghc-options:
-  "$locals":
-    -ddump-to-file
-    -ddump-hi

stack-lts-13.2.yaml.lock

@@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: hoauth2-1.14.0@sha256:fcb4284fc78950c91d5b548317c51bd99a5ced84f4bb9e6153624b5783e4215f,5628
-    pantry-tree:
-      size: 2046
-      sha256: f25e2c2c101312196159dad5a3e2a4c8f549ed2d036d9566b66786d758db7dba
-  original:
-    hackage: hoauth2-1.14.0@sha256:fcb4284fc78950c91d5b548317c51bd99a5ced84f4bb9e6153624b5783e4215f,5628
-snapshots:
-- completed:
-    size: 492864
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/13/2.yaml
-    sha256: 586534518d3e7be8617d97ea296f05f497c0b4bb006f100367d66f5c45ae6268
-  original: lts-13.2

stack-lts-16.10.yaml

@@ -1,8 +0,0 @@
----
-resolver: lts-16.10
-
-# Fix for weeder with stack-2
-ghc-options:
-  "$locals":
-    -ddump-to-file
-    -ddump-hi

stack-lts-16.10.yaml.lock

@@ -1,12 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages: []
-snapshots:
-- completed:
-    size: 532383
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/16/10.yaml
-    sha256: 469d781ab6d2a4eceed6b31b6e4ec842dcd3cd1d11577972e86902603dce24df
-  original: lts-16.10

stack-lts-17.4.yaml

@@ -1 +0,0 @@
-resolver: lts-17.4

stack-lts-17.4.yaml.lock

@@ -1,12 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages: []
-snapshots:
-- completed:
-    size: 563103
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/17/4.yaml
-    sha256: f11e2153044f5f71ea7b1c9398f4721f517c9bd37642ed769647b896564021f3
-  original: lts-17.4

stack-lts21.yaml

@@ -0,0 +1 @@
+resolver: lts-21.25

stack-lts22.yaml

@@ -0,0 +1 @@
+resolver: lts-22.44

stack-lts23.yaml

@@ -0,0 +1 @@
+resolver: lts-23.28

stack-lts24.yaml

@@ -0,0 +1 @@
+resolver: lts-24.26

stack-nightly.yaml

@@ -0,0 +1,4 @@
+resolver: nightly-2026-01-05
+extra-deps:
+  - cryptonite-0.30
+  - yesod-auth-1.6.11.3

stack.yaml

@@ -1 +0,0 @@
-resolver: lts-18.23

stack.yaml

@@ -0,0 +1 @@
+stack-lts24.yaml

stack.yaml.lock

@@ -1,12 +1,12 @@
 # This file was autogenerated by Stack.
 # You should not edit this file by hand.
 # For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
+#   https://docs.haskellstack.org/en/stable/topics/lock_files
 
 packages: []
 snapshots:
 - completed:
-    size: 587819
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/18/23.yaml
-    sha256: 7f69bb29a57495586e7e3ed31ecc59c0d2c959cb23bd52b71ca676f254c9beb1
-  original: lts-18.23
+    sha256: d90eb1418667a225998b173817300e5ae2e1500ed03c0a9457cc2a0e78a0122a
+    size: 726337
+    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/24/26.yaml
+  original: lts-24.26

test/URI/ByteString/ExtensionSpec.hs

@@ -1,8 +1,9 @@
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE QuasiQuotes #-}
+
 module URI.ByteString.ExtensionSpec
-    ( spec
-    ) where
+  ( spec
+  ) where
 
 import Test.Hspec
 
@@ -14,65 +15,66 @@ import URI.ByteString.QQ
 
 spec :: Spec
 spec = do
-    describe "IsString Scheme" $ it "works" $ do
-        "https" `shouldBe` Scheme "https"
+  describe "IsString Scheme" $ it "works" $ do
+    "https" `shouldBe` Scheme "https"
 
-    describe "IsString Host" $ it "works" $ do
-        "example.com" `shouldBe` Host "example.com"
+  describe "IsString Host" $ it "works" $ do
+    "example.com" `shouldBe` Host "example.com"
 
-    describe "IsString URIRef Relative" $ it "works" $ do
-        "example.com/foo?bar=baz"
-            `shouldBe` [relativeRef|example.com/foo?bar=baz|]
+  describe "IsString URIRef Relative" $ it "works" $ do
+    "example.com/foo?bar=baz" `shouldBe` [relativeRef|example.com/foo?bar=baz|]
 
-    describe "IsString URIRef Absolute" $ it "works" $ do
-        "https://example.com/foo?bar=baz"
-            `shouldBe` [uri|https://example.com/foo?bar=baz|]
+  describe "IsString URIRef Absolute" $ it "works" $ do
+    "https://example.com/foo?bar=baz"
+      `shouldBe` [uri|https://example.com/foo?bar=baz|]
 
-    describe "fromText" $ do
-        it "returns Just a URI for valid values, as the quasi-quoter would" $ do
-            fromText "http://example.com/foo?bar=baz"
-                `shouldBe` Just [uri|http://example.com/foo?bar=baz|]
+  describe "fromText" $ do
+    it "returns Just a URI for valid values, as the quasi-quoter would" $ do
+      fromText "http://example.com/foo?bar=baz"
+        `shouldBe` Just [uri|http://example.com/foo?bar=baz|]
 
-        it "returns Nothing for invalid values" $ do
-            fromText "Oh my, what did I do?" `shouldBe` Nothing
+    it "returns Nothing for invalid values" $ do
+      fromText "Oh my, what did I do?" `shouldBe` Nothing
 
-    describe "unsafeFromText" $ do
-        it "returns a URI for valid values, as the quasi-quoter would" $ do
-            unsafeFromText "http://example.com/foo?bar=baz"
-                `shouldBe` [uri|http://example.com/foo?bar=baz|]
+  describe "unsafeFromText" $ do
+    it "returns a URI for valid values, as the quasi-quoter would" $ do
+      unsafeFromText "http://example.com/foo?bar=baz"
+        `shouldBe` [uri|http://example.com/foo?bar=baz|]
 
-        it "raises for invalid values" $ do
-            evaluate (unsafeFromText "Oh my, what did I do?")
-                `shouldThrow` errorContaining "MissingColon"
+    it "raises for invalid values" $ do
+      evaluate (unsafeFromText "Oh my, what did I do?")
+        `shouldThrow` errorContaining "MissingColon"
 
-    describe "toText" $ do
-        it "serializes the URI to text" $ do
-            toText [uri|https://example.com/foo?bar=baz|]
-                `shouldBe` "https://example.com/foo?bar=baz"
+  describe "toText" $ do
+    it "serializes the URI to text" $ do
+      toText [uri|https://example.com/foo?bar=baz|]
+        `shouldBe` "https://example.com/foo?bar=baz"
 
-    describe "fromRelative" $ do
-        it "makes a URI absolute with a given host" $ do
-            fromRelative "ftp" "foo.com" [relativeRef|/bar?baz=bat|]
-                `shouldBe` [uri|ftp://foo.com/bar?baz=bat|]
+  describe "fromRelative" $ do
+    it "makes a URI absolute with a given host" $ do
+      fromRelative "ftp" "foo.com" [relativeRef|/bar?baz=bat|]
+        `shouldBe` [uri|ftp://foo.com/bar?baz=bat|]
 
-    describe "withQuery" $ do
-        it "appends a query to a URI" $ do
-            let uriWithQuery = [uri|http://example.com|] `withQuery` [("foo", "bar")]
+  describe "withQuery" $ do
+    it "appends a query to a URI" $ do
+      let uriWithQuery = [uri|http://example.com|] `withQuery` [("foo", "bar")]
 
-            uriWithQuery `shouldBe` [uri|http://example.com?foo=bar|]
+      uriWithQuery `shouldBe` [uri|http://example.com?foo=bar|]
 
-        it "handles a URI with an existing query" $ do
-            let uriWithQuery = [uri|http://example.com?foo=bar|] `withQuery` [("baz", "bat")]
+    it "handles a URI with an existing query" $ do
+      let uriWithQuery =
+            [uri|http://example.com?foo=bar|] `withQuery` [("baz", "bat")]
 
-            uriWithQuery `shouldBe` [uri|http://example.com?foo=bar&baz=bat|]
+      uriWithQuery `shouldBe` [uri|http://example.com?foo=bar&baz=bat|]
 
-        -- This is arguably testing the internals of another package, but IMO
-        -- it's worthwhile to show that you don't (and can't) pre-sanitize when
-        -- using this function.
-        it "handles santization of the query" $ do
-            let uriWithQuery = [uri|http://example.com|] `withQuery` [("foo", "bar baz")]
+    -- This is arguably testing the internals of another package, but IMO
+    -- it's worthwhile to show that you don't (and can't) pre-sanitize when
+    -- using this function.
+    it "handles santization of the query" $ do
+      let uriWithQuery =
+            [uri|http://example.com|] `withQuery` [("foo", "bar baz")]
 
-            toText uriWithQuery `shouldBe` "http://example.com?foo=bar%20baz"
+      toText uriWithQuery `shouldBe` "http://example.com?foo=bar%20baz"
 
 errorContaining :: String -> Selector ErrorCall
 errorContaining msg = (msg `isInfixOf`) . show

yesod-auth-oauth2.cabal

@@ -1,13 +1,13 @@
-cabal-version: 1.12
+cabal-version: 1.18
 
--- This file has been generated from package.yaml by hpack version 0.34.4.
+-- This file has been generated from package.yaml by hpack version 0.38.1.
 --
 -- see: https://github.com/sol/hpack
 --
--- hash: 927e814961c7ffd910b2b3e67303b31ae03b2d123db27394ee29cb6756aeb443
+-- hash: d595b9569ed34feddc8c41cf6f1f8cabbd8a37fa14b6afeeb24ad651ca689011
 
 name:           yesod-auth-oauth2
-version:        0.7.0.0
+version:        0.8.0.0
 synopsis:       OAuth 2.0 authentication plugins
 description:    Library to authenticate with OAuth 2.0 for Yesod web applications.
 category:       Web
@@ -20,7 +20,7 @@ maintainer:     engineering@freckle.com
 license:        MIT
 license-file:   LICENSE
 build-type:     Simple
-extra-source-files:
+extra-doc-files:
     README.md
     CHANGELOG.md
 
@@ -39,7 +39,9 @@ library
       UnliftIO.Except
       URI.ByteString.Extension
       Yesod.Auth.OAuth2
+      Yesod.Auth.OAuth2.Auth0
       Yesod.Auth.OAuth2.AzureAD
+      Yesod.Auth.OAuth2.AzureADv2
       Yesod.Auth.OAuth2.BattleNet
       Yesod.Auth.OAuth2.Bitbucket
       Yesod.Auth.OAuth2.ClassLink
@@ -52,11 +54,13 @@ library
       Yesod.Auth.OAuth2.GitLab
       Yesod.Auth.OAuth2.Google
       Yesod.Auth.OAuth2.Nylas
+      Yesod.Auth.OAuth2.ORCID
       Yesod.Auth.OAuth2.Prelude
       Yesod.Auth.OAuth2.Random
       Yesod.Auth.OAuth2.Salesforce
       Yesod.Auth.OAuth2.Slack
       Yesod.Auth.OAuth2.Spotify
+      Yesod.Auth.OAuth2.Twitch
       Yesod.Auth.OAuth2.Upcase
       Yesod.Auth.OAuth2.WordPressDotCom
   other-modules:
@@ -68,9 +72,9 @@ library
       aeson >=0.6
     , base >=4.9.0.0 && <5
     , bytestring >=0.9.1.4
-    , cryptonite >=0.25
+    , crypton
     , errors
-    , hoauth2 >=1.11.0
+    , hoauth2 >=2.8.0
     , http-client >=0.4.0
     , http-conduit >=2.0
     , http-types >=0.8
@@ -79,6 +83,7 @@ library
     , mtl
     , safe-exceptions
     , text >=0.7
+    , transformers
     , unliftio
     , uri-bytestring
     , yesod-auth >=1.6.0
@@ -97,7 +102,7 @@ executable yesod-auth-oauth2-example
     , aeson-pretty
     , base >=4.9.0.0 && <5
     , bytestring >=0.9.1.4
-    , containers
+    , containers >=0.6.0.1
     , http-conduit >=2.0
     , load-env
     , text >=0.7
@@ -105,9 +110,9 @@ executable yesod-auth-oauth2-example
     , yesod
     , yesod-auth >=1.6.0
     , yesod-auth-oauth2
+  default-language: Haskell2010
   if !(flag(example))
     buildable: False
-  default-language: Haskell2010
 
 test-suite test
   type: exitcode-stdio-1.0