Fix STACK_YAML in release

We removed some resolvers, so we need to update the minimum that's used
here.

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @freckle/backenders

.github/workflows/add-asana-comment.yml.bak

@@ -0,0 +1,16 @@
+name: Asana
+
+on:
+  pull_request:
+    types: [opened]
+
+jobs:
+  link-asana-task:
+    if: ${{ github.actor != 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: Asana/create-app-attachment-github-action@v1.3
+        id: postAttachment
+        with:
+          asana-secret: ${{ secrets.ASANA_API_ACCESS_KEY }}
+      - run: echo "Status is ${{ steps.postAttachment.outputs.status }}"

.github/workflows/ci.yml

@@ -9,11 +9,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   generate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - id: generate
         uses: freckle/stack-action/generate-matrix@v5
     outputs:
@@ -29,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: freckle/stack-action@v5
         with:
           stack-build-arguments: --flag yesod-auth-oauth2:example
@@ -39,7 +42,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: haskell-actions/hlint-setup@v2
       - uses: haskell-actions/hlint-run@v2
         with:

.github/workflows/release.yml

@@ -8,7 +8,7 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - id: tag
         uses: freckle/haskell-tag-action@v1
@@ -19,4 +19,4 @@ jobs:
           HACKAGE_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
 
           # Use minimum LTS to set lowest lower bounds
-          STACK_YAML: stack-lts-16.31.yaml
+          STACK_YAML: stack-lts21.yaml

.stack-all

@@ -0,0 +1,2 @@
+[versions]
+oldest = lts-21

CHANGELOG.md

@@ -1,4 +1,21 @@
-## [_Unreleased_](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.3.0...main)
+## [_Unreleased_](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.8.0.0...main)
+
+## [v0.8.0.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.4.0...v0.8.0.0)
+
+- Drop support for GHC < 9.4 and hoauth2 < 2.8
+- Add support for GHC 9.12 and hoauth2-2.15
+- To align our interfaces with hoauth2-2.15:
+  - Make `OAuth2 {clientSecret}` non-`Maybe`
+  - Replace `OAuthToken` with `TokenResponse`
+  - Replace `Errors` with `TokenResponseError`
+  - Replace `fetchAccessToken{,2}` with `fetchAccessToken{Basic,Post}`
+
+While technically a major version bump, this change should only affect those
+users that maintain their own plugins.
+
+## [v0.7.4.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.3.0...v0.7.4.0)
+
+- Add `oauth2AzureADv2Widget` and `oauth2AzureADv2ScopedWidget`
 
 ## [v0.7.3.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.2.0...v0.7.3.0)
 

package.yaml

@@ -1,6 +1,6 @@
 ---
 name: yesod-auth-oauth2
-version: 0.7.3.0
+version: 0.8.0.0
 synopsis: OAuth 2.0 authentication plugins
 description: Library to authenticate with OAuth 2.0 for Yesod web applications.
 category: Web
@@ -29,7 +29,7 @@ library:
     - bytestring >=0.9.1.4
     - crypton
     - errors
-    - hoauth2 >=1.11.0
+    - hoauth2 >=2.8.0 # TokenRequestError
     - http-client >=0.4.0
     - http-conduit >=2.0
     - http-types >=0.8

renovate.json

@@ -0,0 +1,7 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "local>freckle/renovate-config"
+  ],
+  "minimumReleaseAge": "0 days"
+}

src/Network/OAuth/OAuth2/Compat.hs

@@ -2,170 +2,117 @@
 
 module Network.OAuth.OAuth2.Compat
   ( OAuth2 (..)
-  , OAuth2Result
-  , Errors
   , authorizationUrl
-  , fetchAccessToken
+  , fetchAccessTokenBasic
-  , fetchAccessToken2
+  , fetchAccessTokenPost
   , authGetBS
 
     -- * Re-exports
-  , module Network.OAuth.OAuth2
+  , AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , TokenResponse
+  , accessToken
+  , refreshToken
+  , expiresIn
+  , tokenType
+  , idToken
+  , TokenResponseError
   ) where
 
+import Control.Monad.IO.Class (MonadIO)
+import Control.Monad.Trans.Except (runExceptT)
 import Data.ByteString.Lazy (ByteString)
 import Data.Text (Text)
 import Network.HTTP.Conduit (Manager)
+import URI.ByteString
+
+#if MIN_VERSION_hoauth2(2,15,0)
+import Network.OAuth2
+  ( AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , TokenResponse (..)
+  , TokenResponseError
+  )
+import qualified Network.OAuth2 as OAuth2
+
+#elif MIN_VERSION_hoauth2(2,9,0)
 import Network.OAuth.OAuth2
   ( AccessToken (..)
   , ExchangeToken (..)
-  , OAuth2Token (..)
   , RefreshToken (..)
+  , OAuth2Token (..)
+  , TokenResponseError
   )
 import qualified Network.OAuth.OAuth2 as OAuth2
-import URI.ByteString
 
-#if MIN_VERSION_hoauth2(2,2,0)
+type TokenResponse = OAuth2Token
-import Control.Monad.Trans.Except (ExceptT, runExceptT)
-import Data.Maybe (fromMaybe)
-#endif
 
-#if MIN_VERSION_hoauth2(2,9,0)
-import Network.OAuth.OAuth2.TokenRequest (TokenResponseError)
-type Errors = TokenResponseError
-#elif MIN_VERSION_hoauth2(2,7,0)
-import Network.OAuth.OAuth2.TokenRequest (TokenRequestError)
-type Errors = TokenRequestError
 #else
-import qualified Network.OAuth.OAuth2.TokenRequest as LegacyTokenRequest
+-- hoauth2-2.8
-import Network.OAuth.OAuth2 (OAuth2Error)
+import Network.OAuth.OAuth2
-type Errors = OAuth2Error LegacyTokenRequest.Errors
+  ( AccessToken (..)
-#endif
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , OAuth2Token (..)
+  )
+import Network.OAuth.OAuth2.TokenRequest (TokenRequestError)
+import qualified Network.OAuth.OAuth2 as OAuth2
 
-{-# ANN module ("HLint: ignore Use fewer imports" :: String) #-}
+type TokenResponse = OAuth2Token
+type TokenResponseError = TokenRequestError
+#endif
 
 data OAuth2 = OAuth2
   { oauth2ClientId :: Text
-  , oauth2ClientSecret :: Maybe Text
+  , oauth2ClientSecret :: Text
   , oauth2AuthorizeEndpoint :: URIRef Absolute
   , oauth2TokenEndpoint :: URIRef Absolute
   , oauth2RedirectUri :: Maybe (URIRef Absolute)
   }
 
-type OAuth2Result err a = Either err a
-
 authorizationUrl :: OAuth2 -> URI
 authorizationUrl = OAuth2.authorizationUrl . getOAuth2
 
-fetchAccessToken
-  :: Manager
-  -> OAuth2
-  -> ExchangeToken
-  -> IO (OAuth2Result Errors OAuth2Token)
-fetchAccessToken = fetchAccessTokenBasic
-
-fetchAccessToken2
-  :: Manager
-  -> OAuth2
-  -> ExchangeToken
-  -> IO (OAuth2Result Errors OAuth2Token)
-fetchAccessToken2 = fetchAccessTokenPost
-
-authGetBS :: Manager -> AccessToken -> URI -> IO (Either ByteString ByteString)
-authGetBS m a u = runOAuth2 $ OAuth2.authGetBS m a u
-
--- Normalize the rename of record fields at hoauth2-2.0. Our type is the newer
--- names and we up-convert if hoauth2-1.x is in use. getClientSecret and
--- getRedirectUri handle the differences in hoauth2-2.2 and 2.3.
-
-#if MIN_VERSION_hoauth2(2,0,0)
-getOAuth2 :: OAuth2 -> OAuth2.OAuth2
-getOAuth2 o = OAuth2.OAuth2
-    { OAuth2.oauth2ClientId = oauth2ClientId o
-    , OAuth2.oauth2ClientSecret = getClientSecret $ oauth2ClientSecret o
-    , OAuth2.oauth2AuthorizeEndpoint = oauth2AuthorizeEndpoint o
-    , OAuth2.oauth2TokenEndpoint = oauth2TokenEndpoint o
-    , OAuth2.oauth2RedirectUri = getRedirectUri $ oauth2RedirectUri o
-    }
-#else
-getOAuth2 :: OAuth2 -> OAuth2.OAuth2
-getOAuth2 o = OAuth2.OAuth2
-    { OAuth2.oauthClientId = oauth2ClientId o
-    , OAuth2.oauthClientSecret = getClientSecret $ oauth2ClientSecret o
-    , OAuth2.oauthOAuthorizeEndpoint = oauth2AuthorizeEndpoint o
-    , OAuth2.oauthAccessTokenEndpoint = oauth2TokenEndpoint o
-    , OAuth2.oauthCallback = getRedirectUri $ oauth2RedirectUri o
-    }
-#endif
-
--- hoauth2-2.2 made oauth2ClientSecret non-Maybe, after 2.0 had just made it
--- Maybe so we have to adjust, twice. TODO: change ours type to non-Maybe (major
--- bump) and reverse this to up-convert with Just in pre-2.2.
-
-#if MIN_VERSION_hoauth2(2,2,0)
-getClientSecret :: Maybe Text -> Text
-getClientSecret =
-    fromMaybe $ error "Cannot use OAuth2.oauth2ClientSecret with Nothing"
-#else
-getClientSecret :: Maybe Text -> Maybe Text
-getClientSecret = id
-#endif
-
--- hoauth2-2.3 then made oauth2RedirectUri non-Maybe too. We logically rely on
--- instantiating with Nothing at definition-time, then setting it to the
--- callback at use-time, which means we can't just change our type and invert
--- this shim; we'll have to do something much more pervasive to avoid this
--- fromMaybe.
-
-#if MIN_VERSION_hoauth2(2,3,0)
-getRedirectUri :: Maybe (URIRef Absolute) -> (URIRef Absolute)
-getRedirectUri =
-    fromMaybe $ error "Cannot use OAuth2.oauth2RedirectUri with Nothing"
-#else
-getRedirectUri :: Maybe (URIRef Absolute) -> Maybe (URIRef Absolute)
-getRedirectUri = id
-#endif
-
--- hoauth-2.2 moved most IO-Either functions to ExceptT. This reverses that.
-
-#if MIN_VERSION_hoauth2(2,2,0)
-runOAuth2 :: ExceptT e m a -> m (Either e a)
-runOAuth2 = runExceptT
-#else
-runOAuth2 :: IO (Either e a) -> IO (Either e a)
-runOAuth2 = id
-#endif
-
--- The fetchAccessToken functions grew a nicer interface in hoauth2-2.3. This
--- up-converts the older ones. We should update our code to use these functions
--- directly.
-
 fetchAccessTokenBasic
   :: Manager
   -> OAuth2
   -> ExchangeToken
-  -> IO (OAuth2Result Errors OAuth2Token)
+  -> IO (Either TokenResponseError TokenResponse)
-fetchAccessTokenBasic m o e = runOAuth2 $ f m (getOAuth2 o) e
+fetchAccessTokenBasic =
- where
+  runFetchAccessToken OAuth2.ClientSecretBasic
-#if MIN_VERSION_hoauth2(2,6,0)
-    f = OAuth2.fetchAccessTokenWithAuthMethod OAuth2.ClientSecretBasic
-#elif MIN_VERSION_hoauth2(2,3,0)
-    f = OAuth2.fetchAccessTokenInternal OAuth2.ClientSecretBasic
-#else
-    f = OAuth2.fetchAccessToken
-#endif
 
 fetchAccessTokenPost
   :: Manager
   -> OAuth2
   -> ExchangeToken
-  -> IO (OAuth2Result Errors OAuth2Token)
+  -> IO (Either TokenResponseError TokenResponse)
-fetchAccessTokenPost m o e = runOAuth2 $ f m (getOAuth2 o) e
+fetchAccessTokenPost =
- where
+  runFetchAccessToken OAuth2.ClientSecretPost
-#if MIN_VERSION_hoauth2(2, 6, 0)
+
-    f = OAuth2.fetchAccessTokenWithAuthMethod OAuth2.ClientSecretPost
+authGetBS :: Manager -> AccessToken -> URI -> IO (Either ByteString ByteString)
-#elif MIN_VERSION_hoauth2(2,3,0)
+authGetBS m a u = runExceptT $ OAuth2.authGetBS m a u
-    f = OAuth2.fetchAccessTokenInternal OAuth2.ClientSecretPost
+
-#else
+getOAuth2 :: OAuth2 -> OAuth2.OAuth2
-    f = OAuth2.fetchAccessToken2
+getOAuth2 o =
-#endif
+  OAuth2.OAuth2
+    { OAuth2.oauth2ClientId = oauth2ClientId o
+    , OAuth2.oauth2ClientSecret = oauth2ClientSecret o
+    , OAuth2.oauth2AuthorizeEndpoint = oauth2AuthorizeEndpoint o
+    , OAuth2.oauth2TokenEndpoint = oauth2TokenEndpoint o
+    , OAuth2.oauth2RedirectUri = case oauth2RedirectUri o of
+        Nothing ->
+          error
+            "programmer error: yesod-auth-oauth2:OAuth2 must have a Just value set as oauth2RedirectUri before using as an hauth2:OAuth2 value"
+        Just uri -> uri
+    }
+
+runFetchAccessToken
+  :: MonadIO m
+  => OAuth2.ClientAuthenticationMethod
+  -> Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> m (Either TokenResponseError TokenResponse)
+runFetchAccessToken am m o e = runExceptT $ OAuth2.fetchAccessTokenWithAuthMethod am m (getOAuth2 o) e

src/Yesod/Auth/OAuth2.hs

@@ -11,13 +11,13 @@ module Yesod.Auth.OAuth2
   ( OAuth2 (..)
   , FetchCreds
   , Manager
-  , OAuth2Token (..)
+  , TokenResponse
   , Creds (..)
   , oauth2Url
   , authOAuth2
   , authOAuth2Widget
 
-    -- * Alternatives that use 'fetchAccessToken2'
+    -- * Alternatives that use 'fetchAccessTokenPost'
   , authOAuth2'
   , authOAuth2Widget'
 
@@ -49,7 +49,7 @@ oauth2Url name = PluginR name ["forward"]
 authOAuth2 :: YesodAuth m => Text -> OAuth2 -> FetchCreds m -> AuthPlugin m
 authOAuth2 name = authOAuth2Widget [whamlet|Login via #{name}|] name
 
--- | A version of 'authOAuth2' that uses 'fetchAccessToken2'
+-- | A version of 'authOAuth2' that uses 'fetchAccessTokenPost'
 --
 -- See <https://github.com/thoughtbot/yesod-auth-oauth2/pull/129>
 authOAuth2' :: YesodAuth m => Text -> OAuth2 -> FetchCreds m -> AuthPlugin m
@@ -66,9 +66,9 @@ authOAuth2Widget
   -> OAuth2
   -> FetchCreds m
   -> AuthPlugin m
-authOAuth2Widget = buildPlugin fetchAccessToken
+authOAuth2Widget = buildPlugin fetchAccessTokenBasic
 
--- | A version of 'authOAuth2Widget' that uses 'fetchAccessToken2'
+-- | A version of 'authOAuth2Widget' that uses 'fetchAccessTokenPost'
 --
 -- See <https://github.com/thoughtbot/yesod-auth-oauth2/pull/129>
 authOAuth2Widget'
@@ -78,7 +78,7 @@ authOAuth2Widget'
   -> OAuth2
   -> FetchCreds m
   -> AuthPlugin m
-authOAuth2Widget' = buildPlugin fetchAccessToken2
+authOAuth2Widget' = buildPlugin fetchAccessTokenPost
 
 buildPlugin
   :: YesodAuth m

src/Yesod/Auth/OAuth2/Auth0.hs

@@ -52,7 +52,7 @@ oauth2Auth0HostScopes host scopes clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           host `withPath` "/authorize" `withQuery` [scopeParam " " scopes]
       , oauth2TokenEndpoint = host `withPath` "/oauth/token"

src/Yesod/Auth/OAuth2/AzureAD.hs

@@ -48,7 +48,7 @@ oauth2AzureADScoped scopes clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://login.windows.net/common/oauth2/authorize"
             `withQuery` [ scopeParam "," scopes

src/Yesod/Auth/OAuth2/AzureADv2.hs

@@ -1,4 +1,5 @@
 {-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE QuasiQuotes #-}
 
 -- |
 --
@@ -9,9 +10,12 @@
 module Yesod.Auth.OAuth2.AzureADv2
   ( oauth2AzureADv2
   , oauth2AzureADv2Scoped
+  , oauth2AzureADv2Widget
+  , oauth2AzureADv2ScopedWidget
   ) where
 
 import Yesod.Auth.OAuth2.Prelude
+import Yesod.Core (WidgetFor, whamlet)
 import Prelude
 
 import Data.String
@@ -41,9 +45,21 @@ oauth2AzureADv2
   -> AuthPlugin m
 oauth2AzureADv2 = oauth2AzureADv2Scoped defaultScopes
 
+oauth2AzureADv2Widget
+  :: YesodAuth m => WidgetFor m () -> Text -> Text -> Text -> AuthPlugin m
+oauth2AzureADv2Widget widget =
+  oauth2AzureADv2ScopedWidget widget defaultScopes
+
 oauth2AzureADv2Scoped
+  :: YesodAuth m => [Text] -> Text -> Text -> Text -> AuthPlugin m
+oauth2AzureADv2Scoped =
+  oauth2AzureADv2ScopedWidget [whamlet|Login via #{pluginName}|]
+
+oauth2AzureADv2ScopedWidget
   :: YesodAuth m
-  => [Text]
+  => WidgetFor m ()
+  -- ^ Widget
+  -> [Text]
   -- ^ Scopes
   -> Text
   -- ^ Tenant Id
@@ -54,8 +70,8 @@ oauth2AzureADv2Scoped
   -> Text
   -- ^ Client Secret
   -> AuthPlugin m
-oauth2AzureADv2Scoped scopes tenantId clientId clientSecret =
+oauth2AzureADv2ScopedWidget widget scopes tenantId clientId clientSecret =
-  authOAuth2 pluginName oauth2 $ \manager token -> do
+  authOAuth2Widget widget pluginName oauth2 $ \manager token -> do
     (User userId, userResponse) <-
       authGetProfile
         pluginName
@@ -73,7 +89,7 @@ oauth2AzureADv2Scoped scopes tenantId clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           tenantUrl "/authorize" `withQuery` [scopeParam " " scopes]
       , oauth2TokenEndpoint = tenantUrl "/token"

src/Yesod/Auth/OAuth2/BattleNet.hs

@@ -53,7 +53,7 @@ oauth2BattleNet widget region clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint = fromRelative "https" host "/oauth/authorize"
       , oauth2TokenEndpoint = fromRelative "https" host "/oauth/token"
       , oauth2RedirectUri = Nothing

src/Yesod/Auth/OAuth2/Bitbucket.hs

@@ -55,7 +55,7 @@ oauth2BitbucketScoped scopes clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://bitbucket.com/site/oauth2/authorize"
             `withQuery` [scopeParam "," scopes]

src/Yesod/Auth/OAuth2/ClassLink.hs

@@ -43,7 +43,7 @@ oauth2ClassLinkScoped scopes clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://launchpad.classlink.com/oauth2/v2/auth"
             `withQuery` [scopeParam "," scopes]

src/Yesod/Auth/OAuth2/Dispatch.hs

@@ -6,8 +6,8 @@
 
 module Yesod.Auth.OAuth2.Dispatch
   ( FetchToken
-  , fetchAccessToken
+  , fetchAccessTokenBasic
-  , fetchAccessToken2
+  , fetchAccessTokenPost
   , FetchCreds
   , dispatchAuthRequest
   ) where
@@ -31,10 +31,13 @@ import Yesod.Core hiding (ErrorResponse)
 --
 -- This will be 'fetchAccessToken' or 'fetchAccessToken2'
 type FetchToken =
-  Manager -> OAuth2 -> ExchangeToken -> IO (OAuth2Result Errors OAuth2Token)
+  Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> IO (Either TokenResponseError TokenResponse)
 
 -- | How to take an @'OAuth2Token'@ and retrieve user credentials
-type FetchCreds m = Manager -> OAuth2Token -> IO (Creds m)
+type FetchCreds m = Manager -> TokenResponse -> IO (Creds m)
 
 -- | Dispatch the various OAuth2 handshake routes
 dispatchAuthRequest

src/Yesod/Auth/OAuth2/DispatchError.hs

@@ -16,7 +16,7 @@ module Yesod.Auth.OAuth2.DispatchError
 
 import Control.Monad.Except
 import Data.Text (Text, pack)
-import Network.OAuth.OAuth2.Compat (Errors)
+import Network.OAuth.OAuth2.Compat (TokenResponseError)
 import UnliftIO.Except ()
 import UnliftIO.Exception
 import Yesod.Auth hiding (ServerError)
@@ -30,7 +30,7 @@ data DispatchError
   | InvalidStateToken (Maybe Text) Text
   | InvalidCallbackUri Text
   | OAuth2HandshakeError ErrorResponse
-  | OAuth2ResultError Errors
+  | OAuth2ResultError TokenResponseError
   | FetchCredsIOException IOException
   | FetchCredsYesodOAuth2Exception YesodOAuth2Exception
   | OtherDispatchError Text

src/Yesod/Auth/OAuth2/EveOnline.hs

@@ -76,7 +76,7 @@ oauth2EveScoped scopes widgetType clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://login.eveonline.com/oauth/authorize"
             `withQuery` [("response_type", "code"), scopeParam " " scopes]

src/Yesod/Auth/OAuth2/Exception.hs

@@ -1,5 +1,3 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-
 module Yesod.Auth.OAuth2.Exception
   ( YesodOAuth2Exception (..)
   ) where
@@ -21,6 +19,6 @@ data YesodOAuth2Exception
     --
     -- Plugin name and error message.
     GenericError Text String
-  deriving (Show, Typeable)
+  deriving (Show)
 
 instance Exception YesodOAuth2Exception

src/Yesod/Auth/OAuth2/GitHub.hs

@@ -61,7 +61,7 @@ oauth2GitHubScopedWidget widget scopes clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://github.com/login/oauth/authorize"
             `withQuery` [scopeParam "," scopes]

src/Yesod/Auth/OAuth2/GitLab.hs

@@ -53,7 +53,7 @@ oauth2GitLabHostScopes host scopes clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           host `withPath` "/oauth/authorize" `withQuery` [scopeParam " " scopes]
       , oauth2TokenEndpoint = host `withPath` "/oauth/token"

src/Yesod/Auth/OAuth2/Google.hs

@@ -80,7 +80,7 @@ oauth2GoogleScopedWidget widget scopes clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://accounts.google.com/o/oauth2/auth"
             `withQuery` [scopeParam " " scopes]

src/Yesod/Auth/OAuth2/Nylas.hs

@@ -55,7 +55,7 @@ oauth2Nylas clientId clientSecret =
   oauth =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://api.nylas.com/oauth/authorize"
             `withQuery` [ ("response_type", "code")

src/Yesod/Auth/OAuth2/ORCID.hs

@@ -41,7 +41,7 @@ oauth2ORCID clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://orcid.org/oauth/authorize"
             `withQuery` [scopeParam " " ["openid"]]

src/Yesod/Auth/OAuth2/Prelude.hs

@@ -30,7 +30,12 @@ module Yesod.Auth.OAuth2.Prelude
 
     -- * OAuth2
   , OAuth2 (..)
-  , OAuth2Token (..)
+  , TokenResponse
+  , accessToken
+  , refreshToken
+  , expiresIn
+  , tokenType
+  , idToken
   , AccessToken (..)
   , RefreshToken (..)
 
@@ -78,7 +83,7 @@ authGetProfile
   :: FromJSON a
   => Text
   -> Manager
-  -> OAuth2Token
+  -> TokenResponse
   -> URI
   -> IO (a, BL.ByteString)
 authGetProfile name manager token url = do
@@ -114,7 +119,7 @@ scopeParam d = ("scope",) . encodeUtf8 . T.intercalate d
 -- May set the following keys:
 --
 -- - @refreshToken@: if the provider supports refreshing the @accessToken@
-setExtra :: OAuth2Token -> BL.ByteString -> [(Text, Text)]
+setExtra :: TokenResponse -> BL.ByteString -> [(Text, Text)]
 setExtra token userResponse =
   [ ("accessToken", atoken $ accessToken token)
   , ("userResponse", decodeUtf8 $ BL.toStrict userResponse)

src/Yesod/Auth/OAuth2/Salesforce.hs

@@ -76,7 +76,7 @@ salesforceHelper name profileUri authorizeUri tokenUri scopes clientId clientSec
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint = authorizeUri `withQuery` [scopeParam " " scopes]
       , oauth2TokenEndpoint = tokenUri
       , oauth2RedirectUri = Nothing

src/Yesod/Auth/OAuth2/Slack.hs

@@ -74,7 +74,7 @@ oauth2SlackScoped scopes clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://slack.com/oauth/authorize"
             `withQuery` [scopeParam "," $ map scopeText scopes]

src/Yesod/Auth/OAuth2/Spotify.hs

@@ -37,7 +37,7 @@ oauth2Spotify scopes clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://accounts.spotify.com/authorize"
             `withQuery` [scopeParam " " scopes]

src/Yesod/Auth/OAuth2/Twitch.hs

@@ -49,7 +49,7 @@ oauth2TwitchScoped scopes clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://id.twitch.tv/oauth2/authorize"
             `withQuery` [scopeParam " " scopes]

src/Yesod/Auth/OAuth2/Upcase.hs

@@ -44,7 +44,7 @@ oauth2Upcase clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint = "http://upcase.com/oauth/authorize"
       , oauth2TokenEndpoint = "http://upcase.com/oauth/token"
       , oauth2RedirectUri = Nothing

src/Yesod/Auth/OAuth2/WordPressDotCom.hs

@@ -41,7 +41,7 @@ oauth2WordPressDotCom clientId clientSecret =
   oauth2 =
     OAuth2
       { oauth2ClientId = clientId
-      , oauth2ClientSecret = Just clientSecret
+      , oauth2ClientSecret = clientSecret
       , oauth2AuthorizeEndpoint =
           "https://public-api.wordpress.com/oauth2/authorize"
             `withQuery` [scopeParam "," ["auth"]]

stack-hoauth2-2.0.yaml

@@ -1,4 +0,0 @@
-resolver: lts-18.28
-extra-deps:
-  - crypton-1.0.0
-  - hoauth2-2.0.0

stack-hoauth2-2.0.yaml.lock

@@ -1,26 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-- completed:
-    hackage: hoauth2-2.0.0@sha256:4686d776272d4c57d3c8dbeb9e58b04afe4d2b410382011bd78a3d2bfb08a3fe,5662
-    pantry-tree:
-      sha256: 291b3dd90854ef44f270519ec17e34b6778f8430f6d6517bd67b0128bd549553
-      size: 2171
-  original:
-    hackage: hoauth2-2.0.0
-snapshots:
-- completed:
-    sha256: 428ec8d5ce932190d3cbe266b9eb3c175cd81e984babf876b64019e2cbe4ea68
-    size: 590100
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/18/28.yaml
-  original: lts-18.28

stack-hoauth2-2.2.yaml

@@ -1,4 +0,0 @@
-resolver: nightly-2022-02-25
-extra-deps:
-  - crypton-1.0.0
-  - hoauth2-2.2.0

stack-hoauth2-2.2.yaml.lock

@@ -1,26 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-- completed:
-    hackage: hoauth2-2.2.0@sha256:83a96156717d9e2c93394b35bef4151f82b90dc88b83d0e35c0bf1158bd41c6c,2801
-    pantry-tree:
-      sha256: d6e2d12e0e66eb9392301ec97d50677afb71608568f3664eb466a4451c66ba59
-      size: 593
-  original:
-    hackage: hoauth2-2.2.0
-snapshots:
-- completed:
-    sha256: b18614ab8986a4ba6d469921a2c18decab244af78309effa3d2dab85dbdfef80
-    size: 611886
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/nightly/2022/2/25.yaml
-  original: nightly-2022-02-25

stack-hoauth2-2.3.yaml

@@ -1,4 +0,0 @@
-resolver: nightly-2022-02-25
-extra-deps:
-  - crypton-1.0.0
-  - hoauth2-2.3.0

stack-hoauth2-2.3.yaml.lock

@@ -1,26 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-- completed:
-    hackage: hoauth2-2.3.0@sha256:213744356007a4686ff3bb72105843d478bc0ba6229659429cbe241a99f55095,2816
-    pantry-tree:
-      sha256: e559c811165a2e75cfe649b68396466b3bd0b6a5353a9d6476605e6a40e0eb37
-      size: 594
-  original:
-    hackage: hoauth2-2.3.0
-snapshots:
-- completed:
-    sha256: b18614ab8986a4ba6d469921a2c18decab244af78309effa3d2dab85dbdfef80
-    size: 611886
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/nightly/2022/2/25.yaml
-  original: nightly-2022-02-25

stack-hoauth2-2.6.yaml

@@ -1,7 +0,0 @@
-resolver: nightly-2022-12-09
-extra-deps:
-  - crypton-1.0.0
-  - hoauth2-2.6.0
-allow-newer: true
-allow-newer-deps:
-  - hoauth2 # allow newer memory and text

stack-hoauth2-2.6.yaml.lock

@@ -1,26 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-- completed:
-    hackage: hoauth2-2.6.0@sha256:168321df73bf75dc7cdda8e72725e9f3f624a9776b1fe59ae46c29c45029dc5d,2262
-    pantry-tree:
-      sha256: 5d39759b171cfaaf5842069a5548c2c1a41c0978645d018da7df713a186192b5
-      size: 859
-  original:
-    hackage: hoauth2-2.6.0
-snapshots:
-- completed:
-    sha256: b77e2c2b7988ed34cd317c01eb1958a8b8c234c3cc17e44077616c212959bed0
-    size: 558756
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/nightly/2022/12/9.yaml
-  original: nightly-2022-12-09

stack-lts-16.31.yaml

@@ -1,3 +0,0 @@
-resolver: lts-16.31
-extra-deps:
-  - crypton-1.0.0

stack-lts-16.31.yaml.lock

@@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-snapshots:
-- completed:
-    sha256: 637fb77049b25560622a224845b7acfe81a09fdb6a96a3c75997a10b651667f6
-    size: 534126
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/16/31.yaml
-  original: lts-16.31

stack-lts-18.28.yaml

@@ -1,3 +0,0 @@
-resolver: lts-18.28
-extra-deps:
-  - crypton-1.0.0

stack-lts-18.28.yaml.lock

@@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-snapshots:
-- completed:
-    sha256: 428ec8d5ce932190d3cbe266b9eb3c175cd81e984babf876b64019e2cbe4ea68
-    size: 590100
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/18/28.yaml
-  original: lts-18.28

stack-lts-19.33.yaml

@@ -1,3 +0,0 @@
-resolver: lts-19.33
-extra-deps:
-  - crypton-1.0.0

stack-lts-19.33.yaml.lock

@@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-snapshots:
-- completed:
-    sha256: 6d1532d40621957a25bad5195bfca7938e8a06d923c91bc52aa0f3c41181f2d4
-    size: 619204
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/19/33.yaml
-  original: lts-19.33

stack-lts-20.26.yaml

@@ -1,3 +0,0 @@
-resolver: lts-20.26
-extra-deps:
-  - crypton-1.0.0

stack-lts-20.26.yaml.lock

@@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: crypton-1.0.0@sha256:637e58581978c84ef1288d14fa9cac1d2905ef60e319924293bc11250aca882d,14527
-    pantry-tree:
-      sha256: 4b5e5511567c0fe735a224cb8b2b278e1caa79344f2940d030d169e69b1b81e1
-      size: 23275
-  original:
-    hackage: crypton-1.0.0
-snapshots:
-- completed:
-    sha256: 5a59b2a405b3aba3c00188453be172b85893cab8ebc352b1ef58b0eae5d248a2
-    size: 650475
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/20/26.yaml
-  original: lts-20.26

stack-lts-21.25.yaml.lock

@@ -1,12 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages: []
-snapshots:
-- completed:
-    sha256: a81fb3877c4f9031e1325eb3935122e608d80715dc16b586eb11ddbff8671ecd
-    size: 640086
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/21/25.yaml
-  original: lts-21.25

stack-lts22.yaml

@@ -0,0 +1 @@
+resolver: lts-22.44

stack-lts23.yaml

@@ -0,0 +1 @@
+resolver: lts-23.28

stack-lts24.yaml

@@ -0,0 +1 @@
+resolver: lts-24.26

stack-nightly.yaml

@@ -1,12 +1,4 @@
-resolver: nightly-2024-02-27
+resolver: nightly-2026-01-05
 extra-deps:
-  - yesod-auth-1.6.11.2
+  - cryptonite-0.30
-
+  - yesod-auth-1.6.11.3
-  # For yesod-auth
-  - email-validate-2.3.2.19
-  - yesod-form-1.7.6
-  - yesod-1.6.2.1
-
-allow-newer: true
-allow-newer-deps:
-  - email-validate

stack-nightly.yaml.lock

@@ -1,40 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
-- completed:
-    hackage: yesod-auth-1.6.11.2@sha256:c580afaccc311ad90fc8a90210b5cf998d95350ddffb622e45282d9b640cf519,3108
-    pantry-tree:
-      sha256: 58e36ca675fc01109915342d4df9cb2680fd37ff20919d84694cdd1d52eb7dc3
-      size: 1013
-  original:
-    hackage: yesod-auth-1.6.11.2
-- completed:
-    hackage: email-validate-2.3.2.19@sha256:206a835fe99a79f2360c576e3594d8add82d2f1e001d58b49a60f60233da2bf5,1380
-    pantry-tree:
-      sha256: 391475ca7c84d59b1d8de362856acd2f56321d29d54ffcd05ed2a170d4e62692
-      size: 419
-  original:
-    hackage: email-validate-2.3.2.19
-- completed:
-    hackage: yesod-form-1.7.6@sha256:42219f2c4feaa2de32280c0b8f98db818f993152693a79960808fd3001a4c0e2,3434
-    pantry-tree:
-      sha256: 8a48fc861796a61cf6abd2087fedd86844ba5c3e11c89c74d2d04c4656d69997
-      size: 1797
-  original:
-    hackage: yesod-form-1.7.6
-- completed:
-    hackage: yesod-1.6.2.1@sha256:504bc888257dae9bb40f4cd1e1110c4e80dfe7b867e8e207b22c4ca4dbd87f9a,2030
-    pantry-tree:
-      sha256: 5a78fa0c6e7dcb46c9acd687ab9409c8fcda0d59b930e2a93e5dc44128c740ec
-      size: 618
-  original:
-    hackage: yesod-1.6.2.1
-snapshots:
-- completed:
-    sha256: e596f5467d31095fd7b9f750e82aeffe012e38e795c13e1cdc945c9cab928085
-    size: 604415
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/nightly/2024/2/27.yaml
-  original: nightly-2024-02-27

stack.yaml

@@ -1 +0,0 @@
-resolver: lts-22.12

stack.yaml

@@ -0,0 +1 @@
+stack-lts24.yaml

stack.yaml.lock

@@ -1,12 +1,12 @@
 # This file was autogenerated by Stack.
 # You should not edit this file by hand.
 # For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
+#   https://docs.haskellstack.org/en/stable/topics/lock_files
 
 packages: []
 snapshots:
 - completed:
-    sha256: e2c529ccfb21501f98f639e056cbde50470b86256d9849d7a82d414ca23e4276
+    sha256: d90eb1418667a225998b173817300e5ae2e1500ed03c0a9457cc2a0e78a0122a
-    size: 712898
+    size: 726337
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/22/12.yaml
+    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/24/26.yaml
-  original: lts-22.12
+  original: lts-24.26

yesod-auth-oauth2.cabal

@@ -1,13 +1,13 @@
 cabal-version: 1.18
 
--- This file has been generated from package.yaml by hpack version 0.36.0.
+-- This file has been generated from package.yaml by hpack version 0.38.1.
 --
 -- see: https://github.com/sol/hpack
 --
--- hash: 148c53a7824b23fa36ce45e0641e643edec0da339f201937f076327d06b2054a
+-- hash: d595b9569ed34feddc8c41cf6f1f8cabbd8a37fa14b6afeeb24ad651ca689011
 
 name:           yesod-auth-oauth2
-version:        0.7.3.0
+version:        0.8.0.0
 synopsis:       OAuth 2.0 authentication plugins
 description:    Library to authenticate with OAuth 2.0 for Yesod web applications.
 category:       Web
@@ -74,7 +74,7 @@ library
     , bytestring >=0.9.1.4
     , crypton
     , errors
-    , hoauth2 >=1.11.0
+    , hoauth2 >=2.8.0
     , http-client >=0.4.0
     , http-conduit >=2.0
     , http-types >=0.8