Fix STACK_YAML in release

We removed some resolvers, so we need to update the minimum that's used here.
Remove .github/workflows/add-asana-comment.yml
2026-01-11 19:58:28 +01:00 · 2026-01-07 12:22:51 -05:00 · 2026-01-06 17:02:42 -05:00 · 2026-01-06 16:47:57 -05:00 · 2026-01-06 16:47:57 -05:00 · 2025-10-15 11:17:18 -04:00
60 changed files with 1965 additions and 1071 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -1,45 +0,0 @@
-version: 2.1
-
-orbs:
-  stack-build: pbrisbin/stack-build@2.0.0
-
-defaults: &defaults
-  hlint-yaml-url:
-    https://raw.githubusercontent.com/pbrisbin/dotfiles/master/hlint.yaml
-  stack-arguments: --flag yesod-auth-oauth2:example
-  weeder: false
-
-workflows:
-  commit:
-    jobs:
-      - stack-build/build-test-lint:
-          <<: *defaults
-          name: "default"
-      - stack-build/build-test-lint:
-          <<: *defaults
-          name: "ghc-8.6.3 / lts-13.2"
-          stack-yaml: stack-lts-13.2.yaml
-      - stack-build/build-test-lint:
-          <<: *defaults
-          name: "ghc-8.8.3 / lts-16.10"
-          stack-yaml: stack-lts-16.10.yaml
-
-  # nightly is broken due to persistent/persistent-template situation
-  # https://app.circleci.com/pipelines/github/thoughtbot/yesod-auth-oauth2/172/workflows/1b5d2999-369d-411b-837d-9ccae4f4cede/jobs/1273
-
-      # - stack-build/build-test-nightly:
-      #     name: "nightly"
-      #     stack-yaml: stack-nightly.yaml
-
-  # nightly:
-  #   triggers:
-  #     - schedule:
-  #         cron: "0 0 * * *"
-  #         filters:
-  #           branches:
-  #             only:
-  #               - master
-  #   jobs:
-  #     - stack-build/build-test-nightly:
-  #         name: "nightly"
-  #         stack-yaml: stack-nightly.yaml
--- a/.env.example
+++ b/.env.example
@ -1,3 +1,4 @@
+# shellcheck disable=SC2034
 #
 # Copy this file to .env and update the credentials for the providers you are
 # trying to test. These variables must all have non-empty values for the
@ -5,15 +6,27 @@
 # you plan to try.
 #
 ###
+
+AUTH0_HOST=x
+AUTH0_CLIENT_ID=x
+AUTH0_CLIENT_SECRET=x
+
 AZURE_AD_CLIENT_ID=x
 AZURE_AD_CLIENT_SECRET=x

+AZURE_ADV2_TENANT_ID=x
+AZURE_ADV2_CLIENT_ID=x
+AZURE_ADV2_CLIENT_SECRET=x
+
 BATTLE_NET_CLIENT_ID=x
 BATTLE_NET_CLIENT_SECRET=x

 BITBUCKET_CLIENT_ID=x
 BITBUCKET_CLIENT_SECRET=x

+CLASSLINK_CLIENT_ID=x
+CLASSLINK_CLIENT_SECRET=x
+
 EVE_ONLINE_CLIENT_ID=x
 EVE_ONLINE_CLIENT_SECRET=x

@ -38,6 +51,9 @@ SLACK_CLIENT_SECRET=x
 SPOTIFY_CLIENT_ID=x
 SPOTIFY_CLIENT_SECRET=x

+TWITCH_CLIENT_ID=x
+TWITCH_CLIENT_SECRET=x
+
 UPCASE_CLIENT_ID=x
 UPCASE_CLIENT_SECRET=x

--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -0,0 +1 @@
+* @freckle/backenders
--- a/.github/workflows/add-asana-comment.yml.bak
+++ b/.github/workflows/add-asana-comment.yml.bak
@ -0,0 +1,16 @@
+name: Asana
+
+on:
+  pull_request:
+    types: [opened]
+
+jobs:
+  link-asana-task:
+    if: ${{ github.actor != 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: Asana/create-app-attachment-github-action@v1.3
+        id: postAttachment
+        with:
+          asana-secret: ${{ secrets.ASANA_API_ACCESS_KEY }}
+      - run: echo "Status is ${{ steps.postAttachment.outputs.status }}"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,49 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  generate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - id: generate
+        uses: freckle/stack-action/generate-matrix@v5
+    outputs:
+      stack-yamls: ${{ steps.generate.outputs.stack-yamls }}
+
+  test:
+    needs: generate
+    strategy:
+      matrix:
+        stack-yaml: ${{ fromJSON(needs.generate.outputs.stack-yamls) }}
+      fail-fast: false
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5
+      - uses: freckle/stack-action@v5
+        with:
+          stack-build-arguments: --flag yesod-auth-oauth2:example
+        env:
+          STACK_YAML: ${{ matrix.stack-yaml }}
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: haskell-actions/hlint-setup@v2
+      - uses: haskell-actions/hlint-run@v2
+        with:
+          fail-on: warning
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,22 @@
+name: Release
+
+on:
+  push:
+    branches: main
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - id: tag
+        uses: freckle/haskell-tag-action@v1
+
+      - if: steps.tag.outputs.tag
+        run: stack upload --pvp-bounds lower .
+        env:
+          HACKAGE_KEY: ${{ secrets.HACKAGE_UPLOAD_API_KEY }}
+
+          # Use minimum LTS to set lowest lower bounds
+          STACK_YAML: stack-lts21.yaml
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,5 @@
-*.cabal
 .stack-work
+TAGS

 # OAuth keys configuration for the example
 .env*
--- a/.restyled.yaml
+++ b/.restyled.yaml
@ -0,0 +1,4 @@
+restylers:
+  - fourmolu
+  - "!stylish-haskell"
+  - "*"
--- a/.stack-all
+++ b/.stack-all
@ -0,0 +1,2 @@
+[versions]
+oldest = lts-21
--- a/.stylish-haskell.yaml
+++ b/.stylish-haskell.yaml
@ -1,21 +0,0 @@
-steps:
-  - simple_align:
-      cases: false
-      top_level_patterns: false
-      records: false
-  - imports:
-      align: none
-      list_align: after_alias
-      pad_module_names: false
-      long_list_align: new_line_multiline
-      empty_list_align: right_after
-      list_padding: 4
-      separate_lists: false
-      space_surround: false
-  - language_pragmas:
-      style: vertical
-      align: false
-      remove_redundant: true
-  - trailing_whitespace: {}
-columns: 80
-newline: native
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,123 @@
-## [*Unreleased*](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.1.5...master)
+## [_Unreleased_](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.8.0.0...main)

-None
+## [v0.8.0.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.4.0...v0.8.0.0)
+
+- Drop support for GHC < 9.4 and hoauth2 < 2.8
+- Add support for GHC 9.12 and hoauth2-2.15
+- To align our interfaces with hoauth2-2.15:
+  - Make `OAuth2 {clientSecret}` non-`Maybe`
+  - Replace `OAuthToken` with `TokenResponse`
+  - Replace `Errors` with `TokenResponseError`
+  - Replace `fetchAccessToken{,2}` with `fetchAccessToken{Basic,Post}`
+
+While technically a major version bump, this change should only affect those
+users that maintain their own plugins.
+
+## [v0.7.4.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.3.0...v0.7.4.0)
+
+- Add `oauth2AzureADv2Widget` and `oauth2AzureADv2ScopedWidget`
+
+## [v0.7.3.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.2.0...v0.7.3.0)
+
+- Add ORCID provider
+- Drop support for LTS-12 / GHC-8.6
+- Replace `cryptonite` with `crypton`
+
+## [v0.7.2.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.3...v0.7.2.0)
+
+- Add `oauth2GitHubWidget` and `oauth2GitHubScopedWidget`
+  [@jaanisfehling](https://github.com/freckle/yesod-auth-oauth2/pull/181)
+
+## [v0.7.1.3](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.2...v0.7.1.3)
+
+- Add support (with caveats) for relative approots
+  [@cptrodolfox](https://github.com/freckle/yesod-auth-oauth2/pull/178)
+
+## [v0.7.1.2](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.1...v0.7.1.2)
+
+- Support `hoauth2-2.9`.
+
+## [v0.7.1.1](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.1.0...v0.7.1.1)
+
+- Support `mtl-2.3`, which no longer re-exports `Control.Monad`
+
+## [v0.7.1.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.0.3...v0.7.1.0)
+
+- Add `AzureADv2` provider
+
+## [v0.7.0.3](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.0.2...v0.7.0.3)
+
+- Support `hoauth-2.7`. This change is only breaking in the unlikely case of users
+  using something other than `fetchAccessToken` or `fetchAccessToken2`
+
+## [v0.7.0.2](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.0.1...v0.7.0.2)
+
+- Add Auth0 provider ([@hw202207](https://github.com/freckle/yesod-auth-oauth2/pull/162))
+
+## [v0.7.0.1](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.7.0.0...v0.7.0.1)
+
+- Support `hoauth-2.2` and `2.3`
+
+## [v0.7.0.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.3.4...v0.7.0.0)
+
+- Support `hoauth2-2.0`
+
+  The `OAuth2` type's fields have changed. If you are not defining your own
+  Local Providers (i.e. you're not constructing any `OAuth2` values) you should
+  not be affected by this change. If you are, you should update to the [new
+  field names][oauth2].
+
+  [oauth2]: https://hackage.haskell.org/package/hoauth2-2.0.0/docs/Network-OAuth-OAuth2-Internal.html#t:OAuth2
+
+## [v0.6.3.4](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.3.1...v0.6.3.4)
+
+- Remove dependencies upper bounds
+
+## [v0.6.3.1](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.3.0...v0.6.3.1)
+
+- Relax dependencies bounds
+
+## [v0.6.3.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.2.3...v0.6.3.0)
+
+- Expose `onDispatchError` and generic `OtherDispatchError` for passthrough log
+- Don't throw exceptions; handle all errors through the set-message-redirect
+  path
+- Respect `onErrorHtml` for said error-handling
+- Support custom widget in Google plugin
+  [@jmorag](https://github.com/freckle/yesod-auth-oauth2/pull/149)
+
+## [v0.6.2.3](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.2.2...v0.6.2.3)
+
+- Allow bytestring-0.11 and cryptonite 0.28
+- Test with GHC 8.10 on CI
+
+## [v0.6.2.2](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.2.1...v0.6.2.2)
+
+- Consistent dependencies bounds in all targets
+
+## [v0.6.2.1](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.2.0...v0.6.2.1)
+
+- Adjust lower bounds on cryptonite
+
+## [v0.6.2.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.1.7...v0.6.2.0)
+
+- Filter `+` from `state` tokens
+
+  This decreases entropy in the token slightly, but ensures that providers
+  performing unexpected +/space/%20 encoding (e.g. ClassLink) still function.
+
+  See [#140](https://github.com/thoughtbot/yesod-auth-oauth2/pull/140).
+
+- Add ClassLink provider
+
+## [v0.6.1.7](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.1.6...v0.6.1.7)
+
+- Relax upper bounds on `hoauth2` and `http-client`
+
+## [v0.6.1.6](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.1.5...v0.6.1.6)
+
+- Revert back to Authorization-header-only `fetchAccessToken` function
+- Add `authOAuth2'` and `authOAuth2Widget'`, which use `fetchAccessToken2`

 ## [v0.6.1.5](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.6.1.4...v0.6.1.5)

@ -110,7 +227,8 @@ None

 ## [v0.2.0](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.1.10...v0.2.0)

- NEW: Slack provider ([@jsteiner](https://github.com/thoughtbot/yesod-auth-oauth2/commit/aad8bd88eabf9fcf368d044e7003e5d323985837))
+- NEW: Slack provider
+  ([@jsteiner](https://github.com/thoughtbot/yesod-auth-oauth2/commit/aad8bd88eabf9fcf368d044e7003e5d323985837))

 ## [v0.1.10](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.1.9...v0.1.10)

@ -118,11 +236,13 @@ None

 ## [v0.1.9](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.1.8...v0.1.9)

- COMPATIBILITY: Allow `transformers-0.5` ([@paul-rouse](https://github.com/thoughtbot/yesod-auth-oauth2/commit/120104b5348808f72877962c329a998434addace))
+- COMPATIBILITY: Allow `transformers-0.5`
+  ([@paul-rouse](https://github.com/thoughtbot/yesod-auth-oauth2/commit/120104b5348808f72877962c329a998434addace))

 ## [v0.1.8](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.1.7...v0.1.8)

- COMPATIBILITY: Allow `aeson-0.11` ([@k-bx](https://github.com/thoughtbot/yesod-auth-oauth2/commit/6e940b19e2d56080c7a749aeb29e143a17dad65c))
+- COMPATIBILITY: Allow `aeson-0.11`
+  ([@k-bx](https://github.com/thoughtbot/yesod-auth-oauth2/commit/6e940b19e2d56080c7a749aeb29e143a17dad65c))

 ## [v0.1.7](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.1.6...v0.1.7)

@ -132,7 +252,8 @@ None

 ## [v0.1.6](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.1.5...v0.1.6)

- NEW: Nicer error message on invalid `code` ([@silky](https://github.com/thoughtbot/yesod-auth-oauth2/commit/7354c36e1326d298e543fa65cf226153ed4a8a0b))
+- NEW: Nicer error message on invalid `code`
+  ([@silky](https://github.com/thoughtbot/yesod-auth-oauth2/commit/7354c36e1326d298e543fa65cf226153ed4a8a0b))

 ## [v0.1.5](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.1.4...v0.1.5)

@ -144,12 +265,15 @@ None

 ## [v0.1.3](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.1.2...v0.1.3)

- NEW: EveOnline provider ([@Drezil](https://github.com/thoughtbot/yesod-auth-oauth2/pull/33))
- NEW: Nylas provider ([@bts](https://github.com/thoughtbot/yesod-auth-oauth2/commit/815d44346403af0052a48aa844f506211bdc2863))
+- NEW: EveOnline provider
+  ([@Drezil](https://github.com/thoughtbot/yesod-auth-oauth2/pull/33))
+- NEW: Nylas provider
+  ([@bts](https://github.com/thoughtbot/yesod-auth-oauth2/commit/815d44346403af0052a48aa844f506211bdc2863))

 ## [v0.1.2](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.1.1...v0.1.2)

- NEW: A more different Google provider ([@ssaavedra](https://github.com/thoughtbot/yesod-auth-oauth2/pull/32))
+- NEW: A more different Google provider
+  ([@ssaavedra](https://github.com/thoughtbot/yesod-auth-oauth2/pull/32))

 ## [v0.1.1](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.1.0...v0.1.1)

@ -164,31 +288,38 @@ None

 ## [v0.0.12](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.0.11...v0.0.12)

- COMPATIBILITY: Allow `transformers-0.4` ([@snoyberg](https://github.com/thoughtbot/yesod-auth-oauth2/pull/21))
+- COMPATIBILITY: Allow `transformers-0.4`
+  ([@snoyberg](https://github.com/thoughtbot/yesod-auth-oauth2/pull/21))

 ## [v0.0.11](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.0.10...v0.0.11)

- COMPATIBILITY: Allow `aeson-0.8` ([@gfontenot](https://github.com/thoughtbot/yesod-auth-oauth2/pull/15))
+- COMPATIBILITY: Allow `aeson-0.8`
+  ([@gfontenot](https://github.com/thoughtbot/yesod-auth-oauth2/pull/15))

 ## [v0.0.10](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.0.9...v0.0.10)

- COMPATIBILITY: Allow Yesod 1.4 ([@gregwebs](https://github.com/thoughtbot/yesod-auth-oauth2/pull/14))
+- COMPATIBILITY: Allow Yesod 1.4
+  ([@gregwebs](https://github.com/thoughtbot/yesod-auth-oauth2/pull/14))

 ## [v0.0.9](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.0.8...v0.0.9)

- NEW: Spotify ([@benekastah](https://github.com/thoughtbot/yesod-auth-oauth2/pull/13))
+- NEW: Spotify
+  ([@benekastah](https://github.com/thoughtbot/yesod-auth-oauth2/pull/13))

 ## [v0.0.8](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.0.7...v0.0.8)

- FIX: Username may be missing in GitHub responses ([@skade](https://github.com/thoughtbot/yesod-auth-oauth2/pull/12))
+- FIX: Username may be missing in GitHub responses
+  ([@skade](https://github.com/thoughtbot/yesod-auth-oauth2/pull/12))

 ## [v0.0.7](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.0.6...v0.0.7)

- NEW: Scope support in GitHub provider ([@skade](https://github.com/thoughtbot/yesod-auth-oauth2/pull/11))
+- NEW: Scope support in GitHub provider
+  ([@skade](https://github.com/thoughtbot/yesod-auth-oauth2/pull/11))

 ## [v0.0.6](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.0.5.1...v0.0.6)

- NEW: GitHub provider ([@freiric](https://github.com/thoughtbot/yesod-auth-oauth2/pull/10))
+- NEW: GitHub provider
+  ([@freiric](https://github.com/thoughtbot/yesod-auth-oauth2/pull/10))
 - COMPATIBILITY: flag-driven `network`/`network-uri` dependency

 ## [v0.0.5.1](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.0.5...v0.0.5.1)
@ -197,8 +328,10 @@ None

 ## [v0.0.5](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.0.4...v0.0.5)

- COMPATIBILITY: Allow `yesod-core-1.3` and target `yesod-auth-1.3` ([@maxcan](https://github.com/thoughtbot/yesod-auth-oauth2/pull/7))
- COMPATIBILITY: Target `haouth2-0.4` ([@katyo](https://github.com/thoughtbot/yesod-auth-oauth2/pull/9))
+- COMPATIBILITY: Allow `yesod-core-1.3` and target `yesod-auth-1.3`
+  ([@maxcan](https://github.com/thoughtbot/yesod-auth-oauth2/pull/7))
+- COMPATIBILITY: Target `haouth2-0.4`
+  ([@katyo](https://github.com/thoughtbot/yesod-auth-oauth2/pull/9))

 ## [v0.0.4](https://github.com/thoughtbot/yesod-auth-oauth2/compare/v0.0.3...v0.0.4)

--- a/27
+++ b/27
@ -1,18 +1,21 @@
-Copyright 2018 Patrick Brisbin
+The MIT License (MIT)

-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
+Copyright (c) 2021 Renaissance Learning Inc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:

 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.

 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/9
+++ b/9
@ -6,7 +6,7 @@ setup:

 .PHONY: setup.lint
 setup.lint:
-	stack install --copy-compiler-tool hlint weeder
+	stack install --copy-compiler-tool hlint

 .PHONY: setup.tools
 setup.tools:
@ -40,15 +40,14 @@ watch:
 .PHONY: lint
 lint:
 	stack exec hlint src test
-	stack exec weeder .

 .PHONY: nightly
 nightly:
-	stack setup --stack-yaml stack-nightly.yaml --resolver nightly
-	stack build --stack-yaml stack-nightly.yaml --resolver nightly \
+	stack setup --resolver nightly
+	stack build --resolver nightly \
 	  --test --no-run-tests --bench --no-run-benchmarks \
 	  --dependencies-only
-	stack build --stack-yaml stack-nightly.yaml --resolver nightly \
+	stack build --resolver nightly \
 	  --test --no-run-tests --bench --no-run-benchmarks \
 	  --fast --pedantic

--- a/README.md
+++ b/README.md
@ -1,5 +1,10 @@
 # Yesod.Auth.OAuth2

+[![Hackage](https://img.shields.io/hackage/v/yesod-auth-oauth2.svg?style=flat)](https://hackage.haskell.org/package/yesod-auth-oauth2)
+[![Stackage Nightly](http://stackage.org/package/yesod-auth-oauth2/badge/nightly)](http://stackage.org/nightly/package/yesod-auth-oauth2)
+[![Stackage LTS](http://stackage.org/package/yesod-auth-oauth2/badge/lts)](http://stackage.org/lts/package/yesod-auth-oauth2)
+[![CI](https://github.com/freckle/yesod-auth-oauth2/actions/workflows/ci.yml/badge.svg)](https://github.com/pbrisbin/freckle/yesod-auth-oauth2/workflows/ci.yml)
+
 OAuth2 `AuthPlugin`s for Yesod.

 ## Usage
@ -91,11 +96,11 @@ oauth2MySite clientId clientSecret =
            }
  where
    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint = "https://mysite.com/oauth/authorize"
-        , oauthAccessTokenEndpoint = "https://mysite.com/oauth/token"
-        , oauthCallback = Nothing
+        { oauth2ClientId = clientId
+        , oauth2ClientSecret = Just clientSecret
+        , oauth2AuthorizeEndpoint = "https://mysite.com/oauth/authorize"
+        , oauth2TokenEndpoint = "https://mysite.com/oauth/token"
+        , oauth2RedirectUri = Nothing
        }
 ```

@ -112,6 +117,26 @@ stack build --pedantic --test

 Please also run HLint and Weeder before submitting PRs.

+## Example
+
+This project includes an executable that runs a server with (almost) all
+supported providers present.
+
+To use:
+
+1. `cp .env.example .env` and edit in secrets for providers you wish to test
+
+   Be sure to include `http://localhost:3000/auth/page/{plugin}/callback` as a
+   valid Redirect URI when configuring the OAuth application.
+
+2. Build with the example: `stack build ... --flag yesod-auth-oauth2:example`
+3. Run the example `stack exec yesod-auth-oauth2-example`
+4. Visit the example: `$BROWSER http://localhost:3000`
+5. Click the log-in link for the provider you configured
+
+If successful, you will be presented with a page that shows the credential and
+User response value.
+
 ---

 [CHANGELOG](./CHANGELOG.md) | [LICENSE](./LICENSE)
--- a/example/Main.hs
+++ b/example/Main.hs
@ -6,19 +6,6 @@
 {-# LANGUAGE TypeApplications #-}
 {-# LANGUAGE TypeFamilies #-}

-- |
--
-- This single-file Yesod app uses all plugins defined within this site, as a
-- means of manual verification that they work. When adding a new plugin, add
-- usage of it here and verify locally that it works.
--
-- To do so, see @.env.example@, then:
--
-- > stack build --flag yesod-auth-oauth2:example
-- > stack exec yesod-auth-oauth2-example
-- >
-- > $BROWSER http://localhost:3000
--
 module Main where

 import Data.Aeson
@ -26,7 +13,8 @@ import Data.Aeson.Encode.Pretty
 import Data.ByteString.Lazy (fromStrict, toStrict)
 import qualified Data.Map as M
 import Data.Maybe (fromJust)
-import Data.Text (Text)
+import Data.String (IsString (fromString))
+import Data.Text (Text, pack)
 import qualified Data.Text as T
 import Data.Text.Encoding (decodeUtf8)
 import LoadEnv
@ -35,77 +23,84 @@ import Network.Wai.Handler.Warp (runEnv)
 import System.Environment (getEnv)
 import Yesod
 import Yesod.Auth
+import Yesod.Auth.OAuth2.Auth0
 import Yesod.Auth.OAuth2.AzureAD
+import Yesod.Auth.OAuth2.AzureADv2
 import Yesod.Auth.OAuth2.BattleNet
 import Yesod.Auth.OAuth2.Bitbucket
+import Yesod.Auth.OAuth2.ClassLink
 import Yesod.Auth.OAuth2.EveOnline
 import Yesod.Auth.OAuth2.GitHub
 import Yesod.Auth.OAuth2.GitLab
 import Yesod.Auth.OAuth2.Google
 import Yesod.Auth.OAuth2.Nylas
+import Yesod.Auth.OAuth2.ORCID
 import Yesod.Auth.OAuth2.Salesforce
 import Yesod.Auth.OAuth2.Slack
 import Yesod.Auth.OAuth2.Spotify
-import Yesod.Auth.OAuth2.WordPressDotCom
+import Yesod.Auth.OAuth2.Twitch
 import Yesod.Auth.OAuth2.Upcase
+import Yesod.Auth.OAuth2.WordPressDotCom

 data App = App
-    { appHttpManager :: Manager
-    , appAuthPlugins :: [AuthPlugin App]
-    }
+  { appHttpManager :: Manager
+  , appAuthPlugins :: [AuthPlugin App]
+  }

-mkYesod "App" [parseRoutes|
+mkYesod
+  "App"
+  [parseRoutes|
    / RootR GET
    /auth AuthR Auth getAuth
 |]

 instance Yesod App where
-    -- see https://github.com/thoughtbot/yesod-auth-oauth2/issues/87
-    approot = ApprootStatic "http://localhost:3000"
+  -- see https://github.com/thoughtbot/yesod-auth-oauth2/issues/87
+  approot = ApprootStatic "http://localhost:3000"

 instance YesodAuth App where
-    type AuthId App = Text
-    loginDest _ = RootR
-    logoutDest _ = RootR
+  type AuthId App = Text
+  loginDest _ = RootR
+  logoutDest _ = RootR

-    -- Disable any attempt to read persisted authenticated state
-    maybeAuthId = return Nothing
+  -- Disable any attempt to read persisted authenticated state
+  maybeAuthId = return Nothing

-    -- Copy the Creds response into the session for viewing after
-    authenticate c = do
-        mapM_ (uncurry setSession) $
-            [ ("credsIdent", credsIdent c)
-            , ("credsPlugin", credsPlugin c)
-            ] ++ credsExtra c
+  -- Copy the Creds response into the session for viewing after
+  authenticate c = do
+    mapM_ (uncurry setSession) $
+      [("credsIdent", credsIdent c), ("credsPlugin", credsPlugin c)]
+        ++ credsExtra c

-        return $ Authenticated "1"
+    return $ Authenticated "1"

-    authPlugins = appAuthPlugins
+  authPlugins = appAuthPlugins

 instance RenderMessage App FormMessage where
-    renderMessage _ _ = defaultFormMessage
+  renderMessage _ _ = defaultFormMessage

 -- brittany-disable-next-binding

 getRootR :: Handler Html
 getRootR = do
-    sess <- getSession
+  sess <- getSession

-    let
-        prettify
-            = decodeUtf8
-            . toStrict
-            . encodePretty
-            . fromJust
-            . decode @Value
-            . fromStrict
+  let
+    prettify =
+      decodeUtf8
+        . toStrict
+        . encodePretty
+        . fromJust
+        . decode @Value
+        . fromStrict

-        mCredsIdent = decodeUtf8 <$> M.lookup "credsIdent" sess
-        mCredsPlugin = decodeUtf8 <$> M.lookup "credsPlugin" sess
-        mAccessToken = decodeUtf8 <$> M.lookup "accessToken" sess
-        mUserResponse = prettify <$> M.lookup "userResponse" sess
+    mCredsIdent = decodeUtf8 <$> M.lookup "credsIdent" sess
+    mCredsPlugin = decodeUtf8 <$> M.lookup "credsPlugin" sess
+    mAccessToken = decodeUtf8 <$> M.lookup "accessToken" sess
+    mUserResponse = prettify <$> M.lookup "userResponse" sess

-    defaultLayout [whamlet|
+  defaultLayout
+    [whamlet|
        <h1>Yesod Auth OAuth2 Example
        <h2>
            <a href=@{AuthR LoginR}>Log in
@ -126,36 +121,45 @@ getRootR = do

 mkFoundation :: IO App
 mkFoundation = do
-    loadEnv
+  loadEnv

-    appHttpManager <- newManager tlsManagerSettings
-    appAuthPlugins <- sequence
-        -- When Providers are added, add them here and update .env.example.
-        -- Nothing else should need changing.
-        --
-        -- FIXME: oauth2BattleNet is quite annoying!
-        --
-        [ loadPlugin oauth2AzureAD "AZURE_AD"
-        , loadPlugin (oauth2BattleNet [whamlet|TODO|] "en") "BATTLE_NET"
-        , loadPlugin oauth2Bitbucket "BITBUCKET"
-        , loadPlugin (oauth2Eve Plain) "EVE_ONLINE"
-        , loadPlugin oauth2GitHub "GITHUB"
-        , loadPlugin oauth2GitLab "GITLAB"
-        , loadPlugin oauth2Google "GOOGLE"
-        , loadPlugin oauth2Nylas "NYLAS"
-        , loadPlugin oauth2Salesforce "SALES_FORCE"
-        , loadPlugin oauth2Slack "SLACK"
-        , loadPlugin (oauth2Spotify []) "SPOTIFY"
-        , loadPlugin oauth2WordPressDotCom "WORDPRESS_DOT_COM"
-        , loadPlugin oauth2Upcase "UPCASE"
-        ]
+  auth0Host <- getEnv "AUTH0_HOST"
+  azureTenant <- getEnv "AZURE_ADV2_TENANT_ID"

-    return App {..}
-  where
-    loadPlugin f prefix = do
-        clientId <- getEnv $ prefix <> "_CLIENT_ID"
-        clientSecret <- getEnv $ prefix <> "_CLIENT_SECRET"
-        pure $ f (T.pack clientId) (T.pack clientSecret)
+  appHttpManager <- newManager tlsManagerSettings
+  appAuthPlugins <-
+    sequence
+      -- When Providers are added, add them here and update .env.example.
+      -- Nothing else should need changing.
+      --
+      -- FIXME: oauth2BattleNet is quite annoying!
+      --
+      [ loadPlugin oauth2AzureAD "AZURE_AD"
+      , loadPlugin (oauth2AzureADv2 $ pack azureTenant) "AZURE_ADV2"
+      , loadPlugin (oauth2Auth0Host $ fromString auth0Host) "AUTH0"
+      , loadPlugin (oauth2BattleNet [whamlet|TODO|] "en") "BATTLE_NET"
+      , loadPlugin oauth2Bitbucket "BITBUCKET"
+      , loadPlugin oauth2ClassLink "CLASSLINK"
+      , loadPlugin (oauth2Eve Plain) "EVE_ONLINE"
+      , loadPlugin oauth2GitHub "GITHUB"
+      , loadPlugin oauth2GitLab "GITLAB"
+      , loadPlugin oauth2Google "GOOGLE"
+      , loadPlugin oauth2Nylas "NYLAS"
+      , loadPlugin oauth2Salesforce "SALES_FORCE"
+      , loadPlugin oauth2Slack "SLACK"
+      , loadPlugin (oauth2Spotify []) "SPOTIFY"
+      , loadPlugin oauth2Twitch "TWITCH"
+      , loadPlugin oauth2WordPressDotCom "WORDPRESS_DOT_COM"
+      , loadPlugin oauth2ORCID "ORCID"
+      , loadPlugin oauth2Upcase "UPCASE"
+      ]
+
+  return App {..}
+ where
+  loadPlugin f prefix = do
+    clientId <- getEnv $ prefix <> "_CLIENT_ID"
+    clientSecret <- getEnv $ prefix <> "_CLIENT_SECRET"
+    pure $ f (T.pack clientId) (T.pack clientSecret)

 main :: IO ()
 main = runEnv 3000 =<< toWaiApp =<< mkFoundation
--- a/fourmolu.yaml
+++ b/fourmolu.yaml
@ -0,0 +1,15 @@
+indentation: 2
+column-limit: 80 # ignored until v12 / ghc-9.6
+function-arrows: leading
+comma-style: leading # default
+import-export-style: leading
+indent-wheres: false # default
+record-brace-space: true
+newlines-between-decls: 1 # default
+haddock-style: single-line
+let-style: mixed
+in-style: left-align
+single-constraint-parens: never # ignored until v12 / ghc-9.6
+unicode: never # default
+respectful: true # default
+fixities: [] # default
--- a/package.yaml
+++ b/package.yaml
@ -1,16 +1,19 @@
 ---
 name: yesod-auth-oauth2
-version: '0.6.1.5'  # N.B. PVP-compliant Semver: 0.MAJOR.MINOR.PATCH
+version: 0.8.0.0
 synopsis: OAuth 2.0 authentication plugins
 description: Library to authenticate with OAuth 2.0 for Yesod web applications.
 category: Web
-author: Tom Streller
-maintainer: Pat Brisbin <pbrisbin@gmail.com>
+author:
+  - Tom Streller
+  - Patrick Brisbin
+  - Freckle Engineering
 license: MIT
-github: thoughtbot/yesod-auth-oauth2
-homepage: http://github.com/thoughtbot/yesod-auth-oauth2
+maintainer: engineering@freckle.com
+github: freckle/yesod-auth-oauth2
+homepage: http://github.com/freckle/yesod-auth-oauth2

-extra-source-files:
+extra-doc-files:
  - README.md
  - CHANGELOG.md

@ -22,21 +25,24 @@ dependencies:
 library:
  source-dirs: src
  dependencies:
-    - aeson >=0.6 && <1.6
+    - aeson >=0.6
    - bytestring >=0.9.1.4
-    - cryptonite
+    - crypton
    - errors
-    - hoauth2 >=1.11.0 && <1.15
-    - http-client >=0.4.0 && <0.7
-    - http-conduit >=2.0 && <3.0
-    - http-types >=0.8 && <0.13
+    - hoauth2 >=2.8.0 # TokenRequestError
+    - http-client >=0.4.0
+    - http-conduit >=2.0
+    - http-types >=0.8
    - memory
    - microlens
+    - mtl
    - safe-exceptions
-    - text >=0.7 && <2.0
+    - text >=0.7
+    - transformers
    - uri-bytestring
-    - yesod-auth >=1.6.0 && <1.7
-    - yesod-core >=1.6.0 && <1.7
+    - yesod-auth >=1.6.0
+    - yesod-core >=1.6.0
+    - unliftio

 executables:
  yesod-auth-oauth2-example:
@ -48,18 +54,18 @@ executables:
      - -with-rtsopts=-N
    dependencies:
      - yesod-auth-oauth2
-      - aeson
+      - aeson >=0.6
      - aeson-pretty
-      - bytestring
-      - containers
-      - http-conduit
+      - bytestring >=0.9.1.4
+      - containers >=0.6.0.1
+      - http-conduit >=2.0
      - load-env
-      - text
+      - text >=0.7
      - warp
      - yesod
-      - yesod-auth
+      - yesod-auth >=1.6.0
    when:
-      - condition: ! '!(flag(example))'
+      - condition: ! "!(flag(example))"
        buildable: false

 tests:
--- a/renovate.json
+++ b/renovate.json
@ -0,0 +1,7 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "local>freckle/renovate-config"
+  ],
+  "minimumReleaseAge": "0 days"
+}
--- a/src/Network/OAuth/OAuth2/Compat.hs
+++ b/src/Network/OAuth/OAuth2/Compat.hs
@ -0,0 +1,118 @@
+{-# LANGUAGE CPP #-}
+
+module Network.OAuth.OAuth2.Compat
+  ( OAuth2 (..)
+  , authorizationUrl
+  , fetchAccessTokenBasic
+  , fetchAccessTokenPost
+  , authGetBS
+
+    -- * Re-exports
+  , AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , TokenResponse
+  , accessToken
+  , refreshToken
+  , expiresIn
+  , tokenType
+  , idToken
+  , TokenResponseError
+  ) where
+
+import Control.Monad.IO.Class (MonadIO)
+import Control.Monad.Trans.Except (runExceptT)
+import Data.ByteString.Lazy (ByteString)
+import Data.Text (Text)
+import Network.HTTP.Conduit (Manager)
+import URI.ByteString
+
+#if MIN_VERSION_hoauth2(2,15,0)
+import Network.OAuth2
+  ( AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , TokenResponse (..)
+  , TokenResponseError
+  )
+import qualified Network.OAuth2 as OAuth2
+
+#elif MIN_VERSION_hoauth2(2,9,0)
+import Network.OAuth.OAuth2
+  ( AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , OAuth2Token (..)
+  , TokenResponseError
+  )
+import qualified Network.OAuth.OAuth2 as OAuth2
+
+type TokenResponse = OAuth2Token
+
+#else
+-- hoauth2-2.8
+import Network.OAuth.OAuth2
+  ( AccessToken (..)
+  , ExchangeToken (..)
+  , RefreshToken (..)
+  , OAuth2Token (..)
+  )
+import Network.OAuth.OAuth2.TokenRequest (TokenRequestError)
+import qualified Network.OAuth.OAuth2 as OAuth2
+
+type TokenResponse = OAuth2Token
+type TokenResponseError = TokenRequestError
+#endif
+
+data OAuth2 = OAuth2
+  { oauth2ClientId :: Text
+  , oauth2ClientSecret :: Text
+  , oauth2AuthorizeEndpoint :: URIRef Absolute
+  , oauth2TokenEndpoint :: URIRef Absolute
+  , oauth2RedirectUri :: Maybe (URIRef Absolute)
+  }
+
+authorizationUrl :: OAuth2 -> URI
+authorizationUrl = OAuth2.authorizationUrl . getOAuth2
+
+fetchAccessTokenBasic
+  :: Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> IO (Either TokenResponseError TokenResponse)
+fetchAccessTokenBasic =
+  runFetchAccessToken OAuth2.ClientSecretBasic
+
+fetchAccessTokenPost
+  :: Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> IO (Either TokenResponseError TokenResponse)
+fetchAccessTokenPost =
+  runFetchAccessToken OAuth2.ClientSecretPost
+
+authGetBS :: Manager -> AccessToken -> URI -> IO (Either ByteString ByteString)
+authGetBS m a u = runExceptT $ OAuth2.authGetBS m a u
+
+getOAuth2 :: OAuth2 -> OAuth2.OAuth2
+getOAuth2 o =
+  OAuth2.OAuth2
+    { OAuth2.oauth2ClientId = oauth2ClientId o
+    , OAuth2.oauth2ClientSecret = oauth2ClientSecret o
+    , OAuth2.oauth2AuthorizeEndpoint = oauth2AuthorizeEndpoint o
+    , OAuth2.oauth2TokenEndpoint = oauth2TokenEndpoint o
+    , OAuth2.oauth2RedirectUri = case oauth2RedirectUri o of
+        Nothing ->
+          error
+            "programmer error: yesod-auth-oauth2:OAuth2 must have a Just value set as oauth2RedirectUri before using as an hauth2:OAuth2 value"
+        Just uri -> uri
+    }
+
+runFetchAccessToken
+  :: MonadIO m
+  => OAuth2.ClientAuthenticationMethod
+  -> Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> m (Either TokenResponseError TokenResponse)
+runFetchAccessToken am m o e = runExceptT $ OAuth2.fetchAccessTokenWithAuthMethod am m (getOAuth2 o) e
--- a/src/URI/ByteString/Extension.hs
+++ b/src/URI/ByteString/Extension.hs
@ -1,9 +1,10 @@
 {-# LANGUAGE FlexibleInstances #-}
 {-# OPTIONS_GHC -fno-warn-orphans #-}
+
 module URI.ByteString.Extension where

 import Data.ByteString (ByteString)
-import Data.String (IsString(..))
+import Data.String (IsString (..))
 import Data.Text (Text)
 import Data.Text.Encoding (decodeUtf8, encodeUtf8)
 import Lens.Micro
@ -13,30 +14,26 @@ import qualified Data.ByteString.Char8 as C8
 import URI.ByteString

 instance IsString Scheme where
-    fromString = Scheme . fromString
+  fromString = Scheme . fromString

 instance IsString Host where
-    fromString = Host . fromString
+  fromString = Host . fromString

 instance IsString (URIRef Absolute) where
-    fromString = either (error . show) id
-        . parseURI strictURIParserOptions
-        . C8.pack
+  fromString =
+    either (error . show) id . parseURI strictURIParserOptions . C8.pack

 instance IsString (URIRef Relative) where
-    fromString = either (error . show) id
-        . parseRelativeRef strictURIParserOptions
-        . C8.pack
+  fromString =
+    either (error . show) id . parseRelativeRef strictURIParserOptions . C8.pack

 fromText :: Text -> Maybe URI
-fromText = either (const Nothing) Just
-    . parseURI strictURIParserOptions
-    . encodeUtf8
+fromText =
+  either (const Nothing) Just . parseURI strictURIParserOptions . encodeUtf8

 unsafeFromText :: Text -> URI
-unsafeFromText = either (error . show) id
-    . parseURI strictURIParserOptions
-    . encodeUtf8
+unsafeFromText =
+  either (error . show) id . parseURI strictURIParserOptions . encodeUtf8

 toText :: URI -> Text
 toText = decodeUtf8 . serializeURIRef'
@ -45,9 +42,12 @@ fromRelative :: Scheme -> Host -> RelativeRef -> URI
 fromRelative s h = flip withHost h . toAbsolute s

 withHost :: URIRef a -> Host -> URIRef a
-withHost u h = u & authorityL %~ maybe
-    (Just $ Authority Nothing h Nothing)
-    (\a -> Just $ a & authorityHostL .~ h)
+withHost u h =
+  u
+    & authorityL
+      %~ maybe
+        (Just $ Authority Nothing h Nothing)
+        (\a -> Just $ a & authorityHostL .~ h)

 withPath :: URIRef a -> ByteString -> URIRef a
 withPath u p = u & pathL .~ p
--- a/src/UnliftIO/Except.hs
+++ b/src/UnliftIO/Except.hs
@ -0,0 +1,12 @@
+{-# OPTIONS_GHC -Wno-orphans #-}
+
+module UnliftIO.Except () where
+
+import Control.Monad ((<=<))
+import Control.Monad.Except (ExceptT (..), runExceptT)
+import UnliftIO
+
+instance (MonadUnliftIO m, Exception e) => MonadUnliftIO (ExceptT e m) where
+  withRunInIO exceptToIO = ExceptT $ try $ do
+    withRunInIO $ \runInIO ->
+      exceptToIO (runInIO . (either throwIO pure <=< runExceptT))
--- a/src/Yesod/Auth/OAuth2.hs
+++ b/src/Yesod/Auth/OAuth2.hs
@ -1,28 +1,32 @@
 {-# LANGUAGE FlexibleContexts #-}
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE QuasiQuotes #-}
+
 -- |
 --
 -- Generic OAuth2 plugin for Yesod
 --
 -- See @"Yesod.Auth.OAuth2.GitHub"@ for example usage.
--
 module Yesod.Auth.OAuth2
-    ( OAuth2(..)
-    , FetchCreds
-    , Manager
-    , OAuth2Token(..)
-    , Creds(..)
-    , oauth2Url
-    , authOAuth2
-    , authOAuth2Widget
+  ( OAuth2 (..)
+  , FetchCreds
+  , Manager
+  , TokenResponse
+  , Creds (..)
+  , oauth2Url
+  , authOAuth2
+  , authOAuth2Widget
+
+    -- * Alternatives that use 'fetchAccessTokenPost'
+  , authOAuth2'
+  , authOAuth2Widget'

    -- * Reading our @'credsExtra'@ keys
-    , getAccessToken
-    , getRefreshToken
-    , getUserResponse
-    , getUserResponseJSON
-    ) where
+  , getAccessToken
+  , getRefreshToken
+  , getUserResponse
+  , getUserResponseJSON
+  ) where

 import Control.Error.Util (note)
 import Control.Monad ((<=<))
@ -31,7 +35,7 @@ import Data.ByteString.Lazy (ByteString, fromStrict)
 import Data.Text (Text)
 import Data.Text.Encoding (encodeUtf8)
 import Network.HTTP.Conduit (Manager)
-import Network.OAuth.OAuth2
+import Network.OAuth.OAuth2.Compat
 import Yesod.Auth
 import Yesod.Auth.OAuth2.Dispatch
 import Yesod.Core.Widget
@ -42,46 +46,72 @@ oauth2Url name = PluginR name ["forward"]
 -- | Create an @'AuthPlugin'@ for the given OAuth2 provider
 --
 -- Presents a generic @"Login via #{name}"@ link
--
 authOAuth2 :: YesodAuth m => Text -> OAuth2 -> FetchCreds m -> AuthPlugin m
 authOAuth2 name = authOAuth2Widget [whamlet|Login via #{name}|] name

+-- | A version of 'authOAuth2' that uses 'fetchAccessTokenPost'
+--
+-- See <https://github.com/thoughtbot/yesod-auth-oauth2/pull/129>
+authOAuth2' :: YesodAuth m => Text -> OAuth2 -> FetchCreds m -> AuthPlugin m
+authOAuth2' name = authOAuth2Widget' [whamlet|Login via #{name}|] name
+
 -- | Create an @'AuthPlugin'@ for the given OAuth2 provider
 --
 -- Allows passing a custom widget for the login link. See @'oauth2Eve'@ for an
 -- example.
--
 authOAuth2Widget
-    :: YesodAuth m
-    => WidgetFor m ()
-    -> Text
-    -> OAuth2
-    -> FetchCreds m
-    -> AuthPlugin m
-authOAuth2Widget widget name oauth getCreds =
-    AuthPlugin name (dispatchAuthRequest name oauth getCreds) login
-  where
-    login tm = [whamlet|<a href=@{tm $ oauth2Url name}>^{widget}|]
+  :: YesodAuth m
+  => WidgetFor m ()
+  -> Text
+  -> OAuth2
+  -> FetchCreds m
+  -> AuthPlugin m
+authOAuth2Widget = buildPlugin fetchAccessTokenBasic
+
+-- | A version of 'authOAuth2Widget' that uses 'fetchAccessTokenPost'
+--
+-- See <https://github.com/thoughtbot/yesod-auth-oauth2/pull/129>
+authOAuth2Widget'
+  :: YesodAuth m
+  => WidgetFor m ()
+  -> Text
+  -> OAuth2
+  -> FetchCreds m
+  -> AuthPlugin m
+authOAuth2Widget' = buildPlugin fetchAccessTokenPost
+
+buildPlugin
+  :: YesodAuth m
+  => FetchToken
+  -> WidgetFor m ()
+  -> Text
+  -> OAuth2
+  -> FetchCreds m
+  -> AuthPlugin m
+buildPlugin getToken widget name oauth getCreds =
+  AuthPlugin
+    name
+    (dispatchAuthRequest name oauth getToken getCreds)
+    login
+ where
+  login tm = [whamlet|<a href=@{tm $ oauth2Url name}>^{widget}|]

 -- | Read the @'AccessToken'@ from the values set via @'setExtra'@
 getAccessToken :: Creds m -> Maybe AccessToken
-getAccessToken =
-    (AccessToken <$>) . lookup "accessToken" . credsExtra
+getAccessToken = (AccessToken <$>) . lookup "accessToken" . credsExtra

 -- | Read the @'RefreshToken'@ from the values set via @'setExtra'@
 --
 -- N.B. not all providers supply this value.
--
 getRefreshToken :: Creds m -> Maybe RefreshToken
-getRefreshToken =
-    (RefreshToken <$>) . lookup "refreshToken" . credsExtra
+getRefreshToken = (RefreshToken <$>) . lookup "refreshToken" . credsExtra

 -- | Read the original profile response from the values set via @'setExtra'@
 getUserResponse :: Creds m -> Maybe ByteString
 getUserResponse =
-    (fromStrict . encodeUtf8 <$>) . lookup "userResponse" . credsExtra
+  (fromStrict . encodeUtf8 <$>) . lookup "userResponse" . credsExtra

 -- | @'getUserResponse'@, and decode as JSON
 getUserResponseJSON :: FromJSON a => Creds m -> Either String a
 getUserResponseJSON =
-    eitherDecode <=< note "userResponse key not present" . getUserResponse
+  eitherDecode <=< note "userResponse key not present" . getUserResponse
--- a/src/Yesod/Auth/OAuth2/Auth0.hs
+++ b/src/Yesod/Auth/OAuth2/Auth0.hs
@ -0,0 +1,60 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+-- |
+-- OAuth2 plugin for <https://auth0.com>
+--
+-- * Authenticates against specific auth0 tenant
+-- * Uses Auth0 user id (a.k.a [sub](https://auth0.com/docs/api/authentication#get-user-info)) as credentials identifier
+module Yesod.Auth.OAuth2.Auth0
+  ( oauth2Auth0HostScopes
+  , oauth2Auth0Host
+  , defaultAuth0Scopes
+  ) where
+
+import Data.Aeson as Aeson
+import qualified Data.Text as T
+import Yesod.Auth.OAuth2.Prelude
+import Prelude
+
+-- | https://auth0.com/docs/api/authentication#get-user-info
+newtype User = User T.Text
+
+instance FromJSON User where
+  parseJSON = withObject "User" $ \o -> User <$> o .: "sub"
+
+-- | https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes#standard-claims
+defaultAuth0Scopes :: [Text]
+defaultAuth0Scopes = ["openid"]
+
+pluginName :: Text
+pluginName = "auth0"
+
+oauth2Auth0Host :: YesodAuth m => URI -> Text -> Text -> AuthPlugin m
+oauth2Auth0Host host = oauth2Auth0HostScopes host defaultAuth0Scopes
+
+oauth2Auth0HostScopes
+  :: YesodAuth m => URI -> [Text] -> Text -> Text -> AuthPlugin m
+oauth2Auth0HostScopes host scopes clientId clientSecret =
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User uid, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        (host `withPath` "/userinfo")
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = uid
+        , credsExtra = setExtra token userResponse
+        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          host `withPath` "/authorize" `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = host `withPath` "/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/AzureAD.hs
+++ b/src/Yesod/Auth/OAuth2/AzureAD.hs
@ -1,24 +1,23 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 --
 -- OAuth2 plugin for Azure AD.
 --
 -- * Authenticates against Azure AD
 -- * Uses email as credentials identifier
--
 module Yesod.Auth.OAuth2.AzureAD
-    ( oauth2AzureAD
-    , oauth2AzureADScoped
-    )
-where
+  ( oauth2AzureAD
+  , oauth2AzureADScoped
+  ) where

-import Prelude
 import Yesod.Auth.OAuth2.Prelude
+import Prelude

 newtype User = User Text

 instance FromJSON User where
-    parseJSON = withObject "User" $ \o -> User <$> o .: "mail"
+  parseJSON = withObject "User" $ \o -> User <$> o .: "mail"

 pluginName :: Text
 pluginName = "azuread"
@ -31,28 +30,30 @@ oauth2AzureAD = oauth2AzureADScoped defaultScopes

 oauth2AzureADScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
 oauth2AzureADScoped scopes clientId clientSecret =
-    authOAuth2 pluginName oauth2 $ \manager token -> do
-        (User userId, userResponse) <- authGetProfile
-            pluginName
-            manager
-            token
-            "https://graph.microsoft.com/v1.0/me"
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://graph.microsoft.com/v1.0/me"

-        pure Creds
-            { credsPlugin = pluginName
-            , credsIdent = userId
-            , credsExtra = setExtra token userResponse
-            }
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            "https://login.windows.net/common/oauth2/authorize"
-                `withQuery` [ scopeParam "," scopes
-                            , ("resource", "https://graph.microsoft.com")
-                            ]
-        , oauthAccessTokenEndpoint =
-            "https://login.windows.net/common/oauth2/token"
-        , oauthCallback = Nothing
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://login.windows.net/common/oauth2/authorize"
+            `withQuery` [ scopeParam "," scopes
+                        , ("resource", "https://graph.microsoft.com")
+                        ]
+      , oauth2TokenEndpoint = "https://login.windows.net/common/oauth2/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/AzureADv2.hs
+++ b/src/Yesod/Auth/OAuth2/AzureADv2.hs
@ -0,0 +1,104 @@
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE QuasiQuotes #-}
+
+-- |
+--
+-- OAuth2 plugin for Azure AD using the new v2 endpoints.
+--
+-- * Authenticates against Azure AD
+-- * Uses email as credentials identifier
+module Yesod.Auth.OAuth2.AzureADv2
+  ( oauth2AzureADv2
+  , oauth2AzureADv2Scoped
+  , oauth2AzureADv2Widget
+  , oauth2AzureADv2ScopedWidget
+  ) where
+
+import Yesod.Auth.OAuth2.Prelude
+import Yesod.Core (WidgetFor, whamlet)
+import Prelude
+
+import Data.String
+import Data.Text (unpack)
+
+newtype User = User Text
+
+instance FromJSON User where
+  parseJSON = withObject "User" $ \o -> User <$> o .: "mail"
+
+pluginName :: Text
+pluginName = "azureadv2"
+
+defaultScopes :: [Text]
+defaultScopes = ["openid", "profile"]
+
+oauth2AzureADv2
+  :: YesodAuth m
+  => Text
+  -- ^ Tenant Id
+  --
+  -- If using a multi-tenant App, @common@ can be given here.
+  -> Text
+  -- ^ Client Id
+  -> Text
+  -- ^ Client secret
+  -> AuthPlugin m
+oauth2AzureADv2 = oauth2AzureADv2Scoped defaultScopes
+
+oauth2AzureADv2Widget
+  :: YesodAuth m => WidgetFor m () -> Text -> Text -> Text -> AuthPlugin m
+oauth2AzureADv2Widget widget =
+  oauth2AzureADv2ScopedWidget widget defaultScopes
+
+oauth2AzureADv2Scoped
+  :: YesodAuth m => [Text] -> Text -> Text -> Text -> AuthPlugin m
+oauth2AzureADv2Scoped =
+  oauth2AzureADv2ScopedWidget [whamlet|Login via #{pluginName}|]
+
+oauth2AzureADv2ScopedWidget
+  :: YesodAuth m
+  => WidgetFor m ()
+  -- ^ Widget
+  -> [Text]
+  -- ^ Scopes
+  -> Text
+  -- ^ Tenant Id
+  --
+  -- If using a multi-tenant App, @common@ can be given here.
+  -> Text
+  -- ^ Client Id
+  -> Text
+  -- ^ Client Secret
+  -> AuthPlugin m
+oauth2AzureADv2ScopedWidget widget scopes tenantId clientId clientSecret =
+  authOAuth2Widget widget pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://graph.microsoft.com/v1.0/me"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
+        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          tenantUrl "/authorize" `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = tenantUrl "/token"
+      , oauth2RedirectUri = Nothing
+      }
+
+  tenantUrl path =
+    fromString $
+      "https://login.microsoftonline.com/"
+        <> unpack tenantId
+        <> "/oauth2/v2.0"
+        <> path
--- a/src/Yesod/Auth/OAuth2/BattleNet.hs
+++ b/src/Yesod/Auth/OAuth2/BattleNet.hs
@ -7,12 +7,10 @@
 -- * Authenticates against battle.net.
 -- * Uses user's id as credentials identifier.
 -- * Returns user's battletag in extras.
--
 module Yesod.Auth.OAuth2.BattleNet
-    ( oauth2BattleNet
-    , oAuth2BattleNet
-    )
-where
+  ( oauth2BattleNet
+  , oAuth2BattleNet
+  ) where

 import Yesod.Auth.OAuth2.Prelude

@ -22,42 +20,44 @@ import Yesod.Core.Widget
 newtype User = User Int

 instance FromJSON User where
-    parseJSON = withObject "User" $ \o -> User <$> o .: "id"
+  parseJSON = withObject "User" $ \o -> User <$> o .: "id"

 pluginName :: Text
 pluginName = "battle.net"

 oauth2BattleNet
-    :: YesodAuth m
-    => WidgetFor m () -- ^ Login widget
-    -> Text -- ^ User region (e.g. "eu", "cn", "us")
-    -> Text -- ^ Client ID
-    -> Text -- ^ Client Secret
-    -> AuthPlugin m
+  :: YesodAuth m
+  => WidgetFor m ()
+  -- ^ Login widget
+  -> Text
+  -- ^ User region (e.g. "eu", "cn", "us")
+  -> Text
+  -- ^ Client ID
+  -> Text
+  -- ^ Client Secret
+  -> AuthPlugin m
 oauth2BattleNet widget region clientId clientSecret =
-    authOAuth2Widget widget pluginName oauth2 $ \manager token -> do
-        (User userId, userResponse) <-
-            authGetProfile pluginName manager token
-                $ fromRelative
-                      "https"
-                      (apiHost $ T.toLower region)
-                      "/account/user"
+  authOAuth2Widget widget pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile pluginName manager token $
+        fromRelative "https" (apiHost $ T.toLower region) "/account/user"

-        pure Creds
-            { credsPlugin = pluginName
-            , credsIdent = T.pack $ show userId
-            , credsExtra = setExtra token userResponse
-            }
-  where
-    host = wwwHost $ T.toLower region
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint = fromRelative "https" host "/oauth/authorize"
-        , oauthAccessTokenEndpoint = fromRelative "https" host "/oauth/token"
-        , oauthCallback = Nothing
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
        }
-
+ where
+  host = wwwHost $ T.toLower region
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint = fromRelative "https" host "/oauth/authorize"
+      , oauth2TokenEndpoint = fromRelative "https" host "/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }

 apiHost :: Text -> Host
 apiHost "cn" = "api.battlenet.com.cn"
@ -68,6 +68,6 @@ wwwHost "cn" = "www.battlenet.com.cn"
 wwwHost region = Host $ encodeUtf8 $ region <> ".battle.net"

 oAuth2BattleNet
-    :: YesodAuth m => Text -> Text -> Text -> WidgetFor m () -> AuthPlugin m
+  :: YesodAuth m => Text -> Text -> Text -> WidgetFor m () -> AuthPlugin m
 oAuth2BattleNet i s r w = oauth2BattleNet w r i s
 {-# DEPRECATED oAuth2BattleNet "Use oauth2BattleNet" #-}
--- a/src/Yesod/Auth/OAuth2/Bitbucket.hs
+++ b/src/Yesod/Auth/OAuth2/Bitbucket.hs
@ -1,16 +1,15 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 --
 -- OAuth2 plugin for http://bitbucket.com
 --
 -- * Authenticates against bitbucket
 -- * Uses bitbucket uuid as credentials identifier
--
 module Yesod.Auth.OAuth2.Bitbucket
-    ( oauth2Bitbucket
-    , oauth2BitbucketScoped
-    )
-where
+  ( oauth2Bitbucket
+  , oauth2BitbucketScoped
+  ) where

 import Yesod.Auth.OAuth2.Prelude

@ -19,7 +18,7 @@ import qualified Data.Text as T
 newtype User = User Text

 instance FromJSON User where
-    parseJSON = withObject "User" $ \o -> User <$> o .: "uuid"
+  parseJSON = withObject "User" $ \o -> User <$> o .: "uuid"

 pluginName :: Text
 pluginName = "bitbucket"
@ -32,32 +31,34 @@ oauth2Bitbucket = oauth2BitbucketScoped defaultScopes

 oauth2BitbucketScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
 oauth2BitbucketScoped scopes clientId clientSecret =
-    authOAuth2 pluginName oauth2 $ \manager token -> do
-        (User userId, userResponse) <- authGetProfile
-            pluginName
-            manager
-            token
-            "https://api.bitbucket.com/2.0/user"
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://api.bitbucket.com/2.0/user"

-        pure Creds
-            { credsPlugin = pluginName
-            -- FIXME: Preserved bug. This should just be userId (it's already
-            -- a Text), but because this code was shipped, folks likely have
-            -- Idents in their database like @"\"...\""@, and if we fixed this
-            -- they would need migrating. We're keeping it for now as it's a
-            -- minor wart. Breaking typed APIs is one thing, causing data to go
-            -- invalid is another.
-            , credsIdent = T.pack $ show userId
-            , credsExtra = setExtra token userResponse
-            }
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            "https://bitbucket.com/site/oauth2/authorize"
-                `withQuery` [scopeParam "," scopes]
-        , oauthAccessTokenEndpoint =
-            "https://bitbucket.com/site/oauth2/access_token"
-        , oauthCallback = Nothing
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , -- FIXME: Preserved bug. This should just be userId (it's already
+          -- a Text), but because this code was shipped, folks likely have
+          -- Idents in their database like @"\"...\""@, and if we fixed this
+          -- they would need migrating. We're keeping it for now as it's a
+          -- minor wart. Breaking typed APIs is one thing, causing data to go
+          -- invalid is another.
+          credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://bitbucket.com/site/oauth2/authorize"
+            `withQuery` [scopeParam "," scopes]
+      , oauth2TokenEndpoint = "https://bitbucket.com/site/oauth2/access_token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/ClassLink.hs
+++ b/src/Yesod/Auth/OAuth2/ClassLink.hs
@ -0,0 +1,52 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+module Yesod.Auth.OAuth2.ClassLink
+  ( oauth2ClassLink
+  , oauth2ClassLinkScoped
+  ) where
+
+import Yesod.Auth.OAuth2.Prelude
+
+import qualified Data.Text as T
+
+newtype User = User Int
+
+instance FromJSON User where
+  parseJSON = withObject "User" $ \o -> User <$> o .: "UserId"
+
+pluginName :: Text
+pluginName = "classlink"
+
+defaultScopes :: [Text]
+defaultScopes = ["profile", "oneroster"]
+
+oauth2ClassLink :: YesodAuth m => Text -> Text -> AuthPlugin m
+oauth2ClassLink = oauth2ClassLinkScoped defaultScopes
+
+oauth2ClassLinkScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
+oauth2ClassLinkScoped scopes clientId clientSecret =
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://nodeapi.classlink.com/v2/my/info"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://launchpad.classlink.com/oauth2/v2/auth"
+            `withQuery` [scopeParam "," scopes]
+      , oauth2TokenEndpoint = "https://launchpad.classlink.com/oauth2/v2/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/Dispatch.hs
+++ b/src/Yesod/Auth/OAuth2/Dispatch.hs
@ -1,174 +1,159 @@
 {-# LANGUAGE FlexibleContexts #-}
-{-# LANGUAGE LambdaCase #-}
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE RankNTypes #-}
-{-# LANGUAGE RecordWildCards #-}
 {-# LANGUAGE ScopedTypeVariables #-}
-{-# LANGUAGE TemplateHaskell #-}
-{-# LANGUAGE TypeApplications #-}
 {-# LANGUAGE TypeFamilies #-}
-module Yesod.Auth.OAuth2.Dispatch
-    ( FetchCreds
-    , dispatchAuthRequest
-    )
-where

-import Control.Exception.Safe
-import Control.Monad (unless, (<=<))
-import Crypto.Random (getRandomBytes)
-import Data.ByteArray.Encoding (Base(Base64), convertToBase)
-import Data.ByteString (ByteString)
+module Yesod.Auth.OAuth2.Dispatch
+  ( FetchToken
+  , fetchAccessTokenBasic
+  , fetchAccessTokenPost
+  , FetchCreds
+  , dispatchAuthRequest
+  ) where
+
+import Control.Monad (unless)
+import Control.Monad.Except (MonadError (..))
 import Data.Text (Text)
 import qualified Data.Text as T
-import Data.Text.Encoding (decodeUtf8, encodeUtf8)
+import Data.Text.Encoding (encodeUtf8)
 import Network.HTTP.Conduit (Manager)
-import Network.OAuth.OAuth2
+import Network.OAuth.OAuth2.Compat
 import URI.ByteString.Extension
+import UnliftIO.Exception
 import Yesod.Auth hiding (ServerError)
+import Yesod.Auth.OAuth2.DispatchError
 import Yesod.Auth.OAuth2.ErrorResponse
-import Yesod.Auth.OAuth2.Exception
+import Yesod.Auth.OAuth2.Random
 import Yesod.Core hiding (ErrorResponse)

+-- | How to fetch an @'OAuth2Token'@
+--
+-- This will be 'fetchAccessToken' or 'fetchAccessToken2'
+type FetchToken =
+  Manager
+  -> OAuth2
+  -> ExchangeToken
+  -> IO (Either TokenResponseError TokenResponse)
+
 -- | How to take an @'OAuth2Token'@ and retrieve user credentials
-type FetchCreds m = Manager -> OAuth2Token -> IO (Creds m)
+type FetchCreds m = Manager -> TokenResponse -> IO (Creds m)

 -- | Dispatch the various OAuth2 handshake routes
 dispatchAuthRequest
-    :: Text             -- ^ Name
-    -> OAuth2           -- ^ Service details
-    -> FetchCreds m     -- ^ How to get credentials
-    -> Text             -- ^ Method
-    -> [Text]           -- ^ Path pieces
-    -> AuthHandler m TypedContent
-dispatchAuthRequest name oauth2 _ "GET" ["forward"] =
-    dispatchForward name oauth2
-dispatchAuthRequest name oauth2 getCreds "GET" ["callback"] =
-    dispatchCallback name oauth2 getCreds
-dispatchAuthRequest _ _ _ _ _ = notFound
+  :: Text
+  -- ^ Name
+  -> OAuth2
+  -- ^ Service details
+  -> FetchToken
+  -- ^ How to get a token
+  -> FetchCreds m
+  -- ^ How to get credentials
+  -> Text
+  -- ^ Method
+  -> [Text]
+  -- ^ Path pieces
+  -> AuthHandler m TypedContent
+dispatchAuthRequest name oauth2 _ _ "GET" ["forward"] =
+  handleDispatchError $ dispatchForward name oauth2
+dispatchAuthRequest name oauth2 getToken getCreds "GET" ["callback"] =
+  handleDispatchError $ dispatchCallback name oauth2 getToken getCreds
+dispatchAuthRequest _ _ _ _ _ _ = notFound

 -- | Handle @GET \/forward@
 --
 -- 1. Set a random CSRF token in our session
 -- 2. Redirect to the Provider's authorization URL
--
-dispatchForward :: Text -> OAuth2 -> AuthHandler m TypedContent
+dispatchForward
+  :: (MonadError DispatchError m, MonadAuthHandler site m)
+  => Text
+  -> OAuth2
+  -> m TypedContent
 dispatchForward name oauth2 = do
-    csrf <- setSessionCSRF $ tokenSessionKey name
-    oauth2' <- withCallbackAndState name oauth2 csrf
-    redirect $ toText $ authorizationUrl oauth2'
+  csrf <- setSessionCSRF $ tokenSessionKey name
+  oauth2' <- withCallbackAndState name oauth2 csrf
+  redirect $ toText $ authorizationUrl oauth2'

 -- | Handle @GET \/callback@
 --
 -- 1. Verify the URL's CSRF token matches our session
 -- 2. Use the code parameter to fetch an AccessToken for the Provider
 -- 3. Use the AccessToken to construct a @'Creds'@ value for the Provider
--
-dispatchCallback :: Text -> OAuth2 -> FetchCreds m -> AuthHandler m TypedContent
-dispatchCallback name oauth2 getCreds = do
-    csrf <- verifySessionCSRF $ tokenSessionKey name
-    onErrorResponse $ oauth2HandshakeError name
-    code <- requireGetParam "code"
-    manager <- authHttpManager
-    oauth2' <- withCallbackAndState name oauth2 csrf
-    token <- errLeft $ fetchAccessToken2 manager oauth2' $ ExchangeToken code
-    creds <- errLeft $ tryFetchCreds $ getCreds manager token
-    setCredsRedirect creds
-  where
-    errLeft :: Show e => IO (Either e a) -> AuthHandler m a
-    errLeft = either (unexpectedError name) pure <=< liftIO
+dispatchCallback
+  :: (MonadError DispatchError m, MonadAuthHandler site m)
+  => Text
+  -> OAuth2
+  -> FetchToken
+  -> FetchCreds site
+  -> m TypedContent
+dispatchCallback name oauth2 getToken getCreds = do
+  onErrorResponse $ throwError . OAuth2HandshakeError
+  csrf <- verifySessionCSRF $ tokenSessionKey name
+  code <- requireGetParam "code"
+  manager <- authHttpManager
+  oauth2' <- withCallbackAndState name oauth2 csrf
+  token <-
+    either (throwError . OAuth2ResultError) pure
+      =<< liftIO (getToken manager oauth2' $ ExchangeToken code)
+  creds <-
+    liftIO (getCreds manager token)
+      `catch` (throwError . FetchCredsIOException)
+      `catch` (throwError . FetchCredsYesodOAuth2Exception)
+  setCredsRedirect creds

-- | Handle an OAuth2 @'ErrorResponse'@
--
-- These are things coming from the OAuth2 provider such an Invalid Grant or
-- Invalid Scope and /may/ be user-actionable. We've coded them to have an
-- @'erUserMessage'@ that we are comfortable displaying to the user as part of
-- the redirect, just in case.
--
-oauth2HandshakeError :: Text -> ErrorResponse -> AuthHandler m a
-oauth2HandshakeError name err = do
-    $(logError) $ "Handshake failure in " <> name <> " plugin: " <> tshow err
-    redirectMessage $ "OAuth2 handshake failure: " <> erUserMessage err
-
-- | Handle an unexpected error
--
-- This would be some unexpected exception while processing the callback.
-- Therefore, the user should see an opaque message and the details go only to
-- the server logs.
--
-unexpectedError :: Show e => Text -> e -> AuthHandler m a
-unexpectedError name err = do
-    $(logError) $ "Error in " <> name <> " OAuth2 plugin: " <> tshow err
-    redirectMessage "Unexpected error logging in with OAuth2"
-
-redirectMessage :: Text -> AuthHandler m a
-redirectMessage msg = do
-    toParent <- getRouteToParent
-    setMessage $ toHtml msg
-    redirect $ toParent LoginR
-
-tryFetchCreds :: IO a -> IO (Either SomeException a)
-tryFetchCreds f =
-    (Right <$> f)
-        `catch` (\(ex :: IOException) -> pure $ Left $ toException ex)
-        `catch` (\(ex :: YesodOAuth2Exception) -> pure $ Left $ toException ex)
-
-withCallbackAndState :: Text -> OAuth2 -> Text -> AuthHandler m OAuth2
+withCallbackAndState
+  :: (MonadError DispatchError m, MonadAuthHandler site m)
+  => Text
+  -> OAuth2
+  -> Text
+  -> m OAuth2
 withCallbackAndState name oauth2 csrf = do
-    let url = PluginR name ["callback"]
-    render <- getParentUrlRender
-    let callbackText = render url
-
-    callback <-
-        maybe
-                (liftIO
-                $ throwString
-                $ "Invalid callback URI: "
-                <> T.unpack callbackText
-                <> ". Not using an absolute Approot?"
-                )
-                pure
-            $ fromText callbackText
-
-    pure oauth2
-        { oauthCallback = Just callback
-        , oauthOAuthorizeEndpoint =
-            oauthOAuthorizeEndpoint oauth2
-                `withQuery` [("state", encodeUtf8 csrf)]
-        }
+  callback <- maybe defaultCallback pure $ oauth2RedirectUri oauth2
+  pure
+    oauth2
+      { oauth2RedirectUri = Just callback
+      , oauth2AuthorizeEndpoint =
+          oauth2AuthorizeEndpoint oauth2 `withQuery` [("state", encodeUtf8 csrf)]
+      }
+ where
+  defaultCallback = do
+    uri <- ($ PluginR name ["callback"]) <$> getParentUrlRender
+    maybe (throwError $ InvalidCallbackUri uri) pure $ fromText uri

 getParentUrlRender :: MonadHandler m => m (Route (SubHandlerSite m) -> Text)
 getParentUrlRender = (.) <$> getUrlRender <*> getRouteToParent

-- | Set a random, 30-character value in the session
+-- | Set a random, ~64-byte value in the session
+--
+-- Some (but not all) providers decode a @+@ in the state token as a space when
+-- sending it back to us. We don't expect this and fail. And if we did code for
+-- it, we'd then fail on the providers that /don't/ do that.
+--
+-- Therefore, we just exclude @+@ in our tokens, which means this function may
+-- return slightly fewer than 64 bytes.
 setSessionCSRF :: MonadHandler m => Text -> m Text
 setSessionCSRF sessionKey = do
-    csrfToken <- liftIO randomToken
-    csrfToken <$ setSession sessionKey csrfToken
-  where
-    randomToken =
-        decodeUtf8 . convertToBase @ByteString Base64 <$> getRandomBytes 64
+  csrfToken <- liftIO randomToken
+  csrfToken <$ setSession sessionKey csrfToken
+ where
+  randomToken = T.filter (/= '+') <$> randomText 64

 -- | Verify the callback provided the same CSRF token as in our session
-verifySessionCSRF :: MonadHandler m => Text -> m Text
+verifySessionCSRF
+  :: (MonadError DispatchError m, MonadHandler m) => Text -> m Text
 verifySessionCSRF sessionKey = do
-    token <- requireGetParam "state"
-    sessionToken <- lookupSession sessionKey
-    deleteSession sessionKey
+  token <- requireGetParam "state"
+  sessionToken <- lookupSession sessionKey
+  deleteSession sessionKey
+  token
+    <$ unless
+      (sessionToken == Just token)
+      (throwError $ InvalidStateToken sessionToken token)

-    unless (sessionToken == Just token)
-        $ permissionDenied "Invalid OAuth2 state token"
-
-    return token
-
-requireGetParam :: MonadHandler m => Text -> m Text
-requireGetParam key = do
-    m <- lookupGetParam key
-    maybe errInvalidArgs return m
-  where
-    errInvalidArgs = invalidArgs ["The '" <> key <> "' parameter is required"]
+requireGetParam
+  :: (MonadError DispatchError m, MonadHandler m) => Text -> m Text
+requireGetParam key =
+  maybe (throwError $ MissingParameter key) pure =<< lookupGetParam key

 tokenSessionKey :: Text -> Text
 tokenSessionKey name = "_yesod_oauth2_" <> name
-
-tshow :: Show a => a -> Text
-tshow = T.pack . show
--- a/src/Yesod/Auth/OAuth2/DispatchError.hs
+++ b/src/Yesod/Auth/OAuth2/DispatchError.hs
@ -0,0 +1,80 @@
+{-# LANGUAGE DeriveAnyClass #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE FlexibleContexts #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE ScopedTypeVariables #-}
+{-# LANGUAGE TemplateHaskell #-}
+{-# LANGUAGE TypeApplications #-}
+{-# LANGUAGE TypeFamilies #-}
+
+module Yesod.Auth.OAuth2.DispatchError
+  ( DispatchError (..)
+  , handleDispatchError
+  , onDispatchError
+  ) where
+
+import Control.Monad.Except
+import Data.Text (Text, pack)
+import Network.OAuth.OAuth2.Compat (TokenResponseError)
+import UnliftIO.Except ()
+import UnliftIO.Exception
+import Yesod.Auth hiding (ServerError)
+import Yesod.Auth.OAuth2.ErrorResponse
+import Yesod.Auth.OAuth2.Exception
+import Yesod.Auth.OAuth2.Random
+import Yesod.Core hiding (ErrorResponse)
+
+data DispatchError
+  = MissingParameter Text
+  | InvalidStateToken (Maybe Text) Text
+  | InvalidCallbackUri Text
+  | OAuth2HandshakeError ErrorResponse
+  | OAuth2ResultError TokenResponseError
+  | FetchCredsIOException IOException
+  | FetchCredsYesodOAuth2Exception YesodOAuth2Exception
+  | OtherDispatchError Text
+  deriving stock (Show)
+  deriving anyclass (Exception)
+
+-- | User-friendly message for any given 'DispatchError'
+--
+-- Most of these are opaque to the user. The exception details are present for
+-- the server logs.
+dispatchErrorMessage :: DispatchError -> Text
+dispatchErrorMessage = \case
+  MissingParameter name ->
+    "Parameter '" <> name <> "' is required, but not present in the URL"
+  InvalidStateToken {} -> "State token is invalid, please try again"
+  InvalidCallbackUri {} ->
+    "Callback URI was not valid, this server may be misconfigured (no approot)"
+  OAuth2HandshakeError er -> "OAuth2 handshake failure: " <> erUserMessage er
+  OAuth2ResultError {} -> "Login failed, please try again"
+  FetchCredsIOException {} -> "Login failed, please try again"
+  FetchCredsYesodOAuth2Exception {} -> "Login failed, please try again"
+  OtherDispatchError {} -> "Login failed, please try again"
+
+handleDispatchError
+  :: MonadAuthHandler site m
+  => ExceptT DispatchError m TypedContent
+  -> m TypedContent
+handleDispatchError f = do
+  result <- runExceptT f
+  either onDispatchError pure result
+
+onDispatchError :: MonadAuthHandler site m => DispatchError -> m TypedContent
+onDispatchError err = do
+  errorId <- liftIO $ randomText 16
+  let suffix = " [errorId=" <> errorId <> "]"
+  $(logError) $ pack (displayException err) <> suffix
+
+  let
+    message = dispatchErrorMessage err <> suffix
+    messageValue =
+      object ["error" .= object ["id" .= errorId, "message" .= message]]
+
+  loginR <- ($ LoginR) <$> getRouteToParent
+
+  selectRep $ do
+    provideRep @_ @Html $ onErrorHtml loginR message
+    provideRep @_ @Value $ pure messageValue
--- a/src/Yesod/Auth/OAuth2/ErrorResponse.hs
+++ b/src/Yesod/Auth/OAuth2/ErrorResponse.hs
@ -1,16 +1,15 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- | OAuth callback error response
 --
 -- <https://tools.ietf.org/html/rfc6749#section-4.1.2.1>
--
 module Yesod.Auth.OAuth2.ErrorResponse
-    ( ErrorResponse(..)
-    , erUserMessage
-    , ErrorName(..)
-    , onErrorResponse
-    , unknownError
-    )
-where
+  ( ErrorResponse (..)
+  , erUserMessage
+  , ErrorName (..)
+  , onErrorResponse
+  , unknownError
+  ) where

 import Data.Foldable (traverse_)
 import Data.Text (Text)
@ -18,58 +17,54 @@ import Data.Traversable (for)
 import Yesod.Core (MonadHandler, lookupGetParam)

 data ErrorName
-    = InvalidRequest
-    | UnauthorizedClient
-    | AccessDenied
-    | UnsupportedResponseType
-    | InvalidScope
-    | ServerError
-    | TemporarilyUnavailable
-    | Unknown Text
-    deriving Show
+  = InvalidRequest
+  | UnauthorizedClient
+  | AccessDenied
+  | UnsupportedResponseType
+  | InvalidScope
+  | ServerError
+  | TemporarilyUnavailable
+  | Unknown Text
+  deriving (Show)

 data ErrorResponse = ErrorResponse
-    { erName :: ErrorName
-    , erDescription :: Maybe Text
-    , erURI :: Maybe Text
-    }
-    deriving Show
+  { erName :: ErrorName
+  , erDescription :: Maybe Text
+  , erURI :: Maybe Text
+  }
+  deriving (Show)

 -- | Textual value suitable for display to a User
 erUserMessage :: ErrorResponse -> Text
 erUserMessage err = case erName err of
-    InvalidRequest -> "Invalid request"
-    UnauthorizedClient -> "Unauthorized client"
-    AccessDenied -> "Access denied"
-    UnsupportedResponseType -> "Unsupported response type"
-    InvalidScope -> "Invalid scope"
-    ServerError -> "Server error"
-    TemporarilyUnavailable -> "Temporarily unavailable"
-    Unknown _ -> "Unknown error"
+  InvalidRequest -> "Invalid request"
+  UnauthorizedClient -> "Unauthorized client"
+  AccessDenied -> "Access denied"
+  UnsupportedResponseType -> "Unsupported response type"
+  InvalidScope -> "Invalid scope"
+  ServerError -> "Server error"
+  TemporarilyUnavailable -> "Temporarily unavailable"
+  Unknown _ -> "Unknown error"

 unknownError :: Text -> ErrorResponse
-unknownError x = ErrorResponse
-    { erName = Unknown x
-    , erDescription = Nothing
-    , erURI = Nothing
-    }
+unknownError x =
+  ErrorResponse {erName = Unknown x, erDescription = Nothing, erURI = Nothing}

 -- | Check query parameters for an error, if found run the given action
 --
 -- The action is expected to use a short-circuit response function like
 -- @'permissionDenied'@, hence this returning @()@.
--
 onErrorResponse :: MonadHandler m => (ErrorResponse -> m a) -> m ()
 onErrorResponse f = traverse_ f =<< checkErrorResponse

 checkErrorResponse :: MonadHandler m => m (Maybe ErrorResponse)
 checkErrorResponse = do
-    merror <- lookupGetParam "error"
+  merror <- lookupGetParam "error"

-    for merror $ \err ->
-        ErrorResponse (readErrorName err)
-            <$> lookupGetParam "error_description"
-            <*> lookupGetParam "error_uri"
+  for merror $ \err ->
+    ErrorResponse (readErrorName err)
+      <$> lookupGetParam "error_description"
+      <*> lookupGetParam "error_uri"

 readErrorName :: Text -> ErrorName
 readErrorName "invalid_request" = InvalidRequest
--- a/src/Yesod/Auth/OAuth2/EveOnline.hs
+++ b/src/Yesod/Auth/OAuth2/EveOnline.hs
@ -1,18 +1,17 @@
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE QuasiQuotes #-}
+
 -- |
 --
 -- OAuth2 plugin for http://eveonline.com
 --
 -- * Authenticates against eveonline
 -- * Uses EVEs unique account-user-char-hash as credentials identifier
--
 module Yesod.Auth.OAuth2.EveOnline
-    ( oauth2Eve
-    , oauth2EveScoped
-    , WidgetType(..)
-    )
-where
+  ( oauth2Eve
+  , oauth2EveScoped
+  , WidgetType (..)
+  ) where

 import Yesod.Auth.OAuth2.Prelude

@ -22,26 +21,27 @@ import Yesod.Core.Widget
 newtype User = User Text

 instance FromJSON User where
-    parseJSON = withObject "User" $ \o -> User <$> o .: "CharacterOwnerHash"
+  parseJSON = withObject "User" $ \o -> User <$> o .: "CharacterOwnerHash"

 data WidgetType m
-    = Plain -- ^ Simple "Login via eveonline" text
-    | BigWhite
-    | SmallWhite
-    | BigBlack
-    | SmallBlack
-    | Custom (WidgetFor m ())
+  = -- | Simple "Login via eveonline" text
+    Plain
+  | BigWhite
+  | SmallWhite
+  | BigBlack
+  | SmallBlack
+  | Custom (WidgetFor m ())

 asWidget :: YesodAuth m => WidgetType m -> WidgetFor m ()
 asWidget Plain = [whamlet|Login via eveonline|]
 asWidget BigWhite =
-    [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/4PTzeiAshqiM8osU2giO0Y/5cc4cb60bac52422da2e45db87b6819c/EVE_SSO_Login_Buttons_Large_White.png?w=270&h=45">|]
-asWidget BigBlack
-    = [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/4fSjj56uD6CYwYyus4KmES/4f6385c91e6de56274d99496e6adebab/EVE_SSO_Login_Buttons_Large_Black.png?w=270&h=45">|]
-asWidget SmallWhite
-    = [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/18BxKSXCymyqY4QKo8KwKe/c2bdded6118472dd587c8107f24104d7/EVE_SSO_Login_Buttons_Small_White.png?w=195&h=30">|]
-asWidget SmallBlack
-    = [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/12vrPsIMBQi28QwCGOAqGk/33234da7672c6b0cdca394fc8e0b1c2b/EVE_SSO_Login_Buttons_Small_Black.png?w=195&h=30">|]
+  [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/4PTzeiAshqiM8osU2giO0Y/5cc4cb60bac52422da2e45db87b6819c/EVE_SSO_Login_Buttons_Large_White.png?w=270&h=45">|]
+asWidget BigBlack =
+  [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/4fSjj56uD6CYwYyus4KmES/4f6385c91e6de56274d99496e6adebab/EVE_SSO_Login_Buttons_Large_Black.png?w=270&h=45">|]
+asWidget SmallWhite =
+  [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/18BxKSXCymyqY4QKo8KwKe/c2bdded6118472dd587c8107f24104d7/EVE_SSO_Login_Buttons_Small_White.png?w=195&h=30">|]
+asWidget SmallBlack =
+  [whamlet|<img src="https://images.contentful.com/idjq7aai9ylm/12vrPsIMBQi28QwCGOAqGk/33234da7672c6b0cdca394fc8e0b1c2b/EVE_SSO_Login_Buttons_Small_Black.png?w=195&h=30">|]
 asWidget (Custom a) = a

 pluginName :: Text
@ -54,29 +54,32 @@ oauth2Eve :: YesodAuth m => WidgetType m -> Text -> Text -> AuthPlugin m
 oauth2Eve = oauth2EveScoped defaultScopes

 oauth2EveScoped
-    :: YesodAuth m => [Text] -> WidgetType m -> Text -> Text -> AuthPlugin m
+  :: YesodAuth m => [Text] -> WidgetType m -> Text -> Text -> AuthPlugin m
 oauth2EveScoped scopes widgetType clientId clientSecret =
-    authOAuth2Widget (asWidget widgetType) pluginName oauth2
-        $ \manager token -> do
-              (User userId, userResponse) <- authGetProfile
-                  pluginName
-                  manager
-                  token
-                  "https://login.eveonline.com/oauth/verify"
+  authOAuth2Widget (asWidget widgetType) pluginName oauth2 $ \manager token ->
+    do
+      (User userId, userResponse) <-
+        authGetProfile
+          pluginName
+          manager
+          token
+          "https://login.eveonline.com/oauth/verify"

-              pure Creds
-                  { credsPlugin = "eveonline"
-                  -- FIXME: Preserved bug. See similar comment in Bitbucket provider.
-                  , credsIdent = T.pack $ show userId
-                  , credsExtra = setExtra token userResponse
-                  }
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            "https://login.eveonline.com/oauth/authorize"
-                `withQuery` [("response_type", "code"), scopeParam " " scopes]
-        , oauthAccessTokenEndpoint = "https://login.eveonline.com/oauth/token"
-        , oauthCallback = Nothing
-        }
+      pure
+        Creds
+          { credsPlugin = "eveonline"
+          , -- FIXME: Preserved bug. See similar comment in Bitbucket provider.
+            credsIdent = T.pack $ show userId
+          , credsExtra = setExtra token userResponse
+          }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://login.eveonline.com/oauth/authorize"
+            `withQuery` [("response_type", "code"), scopeParam " " scopes]
+      , oauth2TokenEndpoint = "https://login.eveonline.com/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/Exception.hs
+++ b/src/Yesod/Auth/OAuth2/Exception.hs
@ -1,29 +1,24 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-
 module Yesod.Auth.OAuth2.Exception
-    ( YesodOAuth2Exception(..)
-    ) where
+  ( YesodOAuth2Exception (..)
+  ) where

 import Control.Exception.Safe
 import Data.ByteString.Lazy (ByteString)
 import Data.Text (Text)

 data YesodOAuth2Exception
-    = OAuth2Error Text ByteString
-    -- ^ HTTP error during OAuth2 handshake
+  = -- | HTTP error during OAuth2 handshake
    --
    -- Plugin name and JSON-encoded @OAuth2Error@ from @hoauth2@.
-    --
-    | JSONDecodingError Text String
-    -- ^ User profile was not as expected
+    OAuth2Error Text ByteString
+  | -- | User profile was not as expected
    --
    -- Plugin name and Aeson parse error message.
-    --
-    | GenericError Text String
-    -- ^ Other error conditions
+    JSONDecodingError Text String
+  | -- | Other error conditions
    --
    -- Plugin name and error message.
-    --
-    deriving (Show, Typeable)
+    GenericError Text String
+  deriving (Show)

 instance Exception YesodOAuth2Exception
--- a/src/Yesod/Auth/OAuth2/GitHub.hs
+++ b/src/Yesod/Auth/OAuth2/GitHub.hs
@ -1,25 +1,27 @@
 {-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE QuasiQuotes #-}
+
 -- |
 --
 -- OAuth2 plugin for http://github.com
 --
 -- * Authenticates against github
 -- * Uses github user id as credentials identifier
--
 module Yesod.Auth.OAuth2.GitHub
-    ( oauth2GitHub
-    , oauth2GitHubScoped
-    )
-where
-
-import Yesod.Auth.OAuth2.Prelude
+  ( oauth2GitHub
+  , oauth2GitHubWidget
+  , oauth2GitHubScoped
+  , oauth2GitHubScopedWidget
+  ) where

 import qualified Data.Text as T
+import Yesod.Auth.OAuth2.Prelude
+import Yesod.Core (WidgetFor, whamlet)

 newtype User = User Int

 instance FromJSON User where
-    parseJSON = withObject "User" $ \o -> User <$> o .: "id"
+  parseJSON = withObject "User" $ \o -> User <$> o .: "id"

 pluginName :: Text
 pluginName = "github"
@ -30,28 +32,39 @@ defaultScopes = ["user:email"]
 oauth2GitHub :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2GitHub = oauth2GitHubScoped defaultScopes

-oauth2GitHubScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
-oauth2GitHubScoped scopes clientId clientSecret =
-    authOAuth2 pluginName oauth2 $ \manager token -> do
-        (User userId, userResponse) <- authGetProfile
-            pluginName
-            manager
-            token
-            "https://api.github.com/user"
+oauth2GitHubWidget
+  :: YesodAuth m => WidgetFor m () -> Text -> Text -> AuthPlugin m
+oauth2GitHubWidget widget = oauth2GitHubScopedWidget widget defaultScopes

-        pure Creds
-            { credsPlugin = pluginName
-            , credsIdent = T.pack $ show userId
-            , credsExtra = setExtra token userResponse
-            }
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            "https://github.com/login/oauth/authorize"
-                `withQuery` [scopeParam "," scopes]
-        , oauthAccessTokenEndpoint =
-            "https://github.com/login/oauth/access_token"
-        , oauthCallback = Nothing
+oauth2GitHubScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
+oauth2GitHubScoped =
+  oauth2GitHubScopedWidget [whamlet|Login via #{pluginName}|]
+
+oauth2GitHubScopedWidget
+  :: YesodAuth m => WidgetFor m () -> [Text] -> Text -> Text -> AuthPlugin m
+oauth2GitHubScopedWidget widget scopes clientId clientSecret =
+  authOAuth2Widget widget pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://api.github.com/user"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://github.com/login/oauth/authorize"
+            `withQuery` [scopeParam "," scopes]
+      , oauth2TokenEndpoint = "https://github.com/login/oauth/access_token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/GitLab.hs
+++ b/src/Yesod/Auth/OAuth2/GitLab.hs
@ -1,11 +1,11 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 module Yesod.Auth.OAuth2.GitLab
-    ( oauth2GitLab
-    , oauth2GitLabHostScopes
-    , defaultHost
-    , defaultScopes
-    )
-where
+  ( oauth2GitLab
+  , oauth2GitLabHostScopes
+  , defaultHost
+  , defaultScopes
+  ) where

 import Yesod.Auth.OAuth2.Prelude

@ -14,7 +14,7 @@ import qualified Data.Text as T
 newtype User = User Int

 instance FromJSON User where
-    parseJSON = withObject "User" $ \o -> User <$> o .: "id"
+  parseJSON = withObject "User" $ \o -> User <$> o .: "id"

 pluginName :: Text
 pluginName = "gitlab"
@ -33,32 +33,29 @@ defaultScopes = ["read_user"]
 --
 -- > oauth2GitLabHostScopes defaultHost ["api", "read_user"]
 -- > oauth2GitLabHostScopes "https://gitlab.example.com" defaultScopes
--
 oauth2GitLab :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2GitLab = oauth2GitLabHostScopes defaultHost defaultScopes

 oauth2GitLabHostScopes
-    :: YesodAuth m => URI -> [Text] -> Text -> Text -> AuthPlugin m
+  :: YesodAuth m => URI -> [Text] -> Text -> Text -> AuthPlugin m
 oauth2GitLabHostScopes host scopes clientId clientSecret =
-    authOAuth2 pluginName oauth2 $ \manager token -> do
-        (User userId, userResponse) <-
-            authGetProfile pluginName manager token
-            $ host
-            `withPath` "/api/v4/user"
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile pluginName manager token $ host `withPath` "/api/v4/user"

-        pure Creds
-            { credsPlugin = pluginName
-            , credsIdent = T.pack $ show userId
-            , credsExtra = setExtra token userResponse
-            }
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            host
-            `withPath` "/oauth/authorize"
-            `withQuery` [scopeParam " " scopes]
-        , oauthAccessTokenEndpoint = host `withPath` "/oauth/token"
-        , oauthCallback = Nothing
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          host `withPath` "/oauth/authorize" `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = host `withPath` "/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/Google.hs
+++ b/src/Yesod/Auth/OAuth2/Google.hs
@ -1,4 +1,6 @@
 {-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE QuasiQuotes #-}
+
 -- |
 --
 -- OAuth2 plugin for http://www.google.com
@ -22,22 +24,23 @@
 -- >         updatedCreds = creds { credsIdent = email }
 -- >
 -- >     -- continue normally with updatedCreds
--
 module Yesod.Auth.OAuth2.Google
-    ( oauth2Google
-    , oauth2GoogleScoped
-    )
-where
+  ( oauth2Google
+  , oauth2GoogleWidget
+  , oauth2GoogleScoped
+  , oauth2GoogleScopedWidget
+  ) where

 import Yesod.Auth.OAuth2.Prelude
+import Yesod.Core (WidgetFor, whamlet)

 newtype User = User Text

 instance FromJSON User where
-    parseJSON =
-        withObject "User" $ \o -> User
-        -- Required for data backwards-compatibility
-                                       <$> (("google-uid:" <>) <$> o .: "sub")
+  parseJSON =
+    withObject "User" $ \o ->
+      -- Required for data backwards-compatibility
+      User . ("google-uid:" <>) <$> o .: "sub"

 pluginName :: Text
 pluginName = "google"
@ -48,28 +51,39 @@ defaultScopes = ["openid", "email"]
 oauth2Google :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2Google = oauth2GoogleScoped defaultScopes

-oauth2GoogleScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
-oauth2GoogleScoped scopes clientId clientSecret =
-    authOAuth2 pluginName oauth2 $ \manager token -> do
-        (User userId, userResponse) <- authGetProfile
-            pluginName
-            manager
-            token
-            "https://www.googleapis.com/oauth2/v3/userinfo"
+oauth2GoogleWidget
+  :: YesodAuth m => WidgetFor m () -> Text -> Text -> AuthPlugin m
+oauth2GoogleWidget widget = oauth2GoogleScopedWidget widget defaultScopes

-        pure Creds
-            { credsPlugin = pluginName
-            , credsIdent = userId
-            , credsExtra = setExtra token userResponse
-            }
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            "https://accounts.google.com/o/oauth2/auth"
-                `withQuery` [scopeParam " " scopes]
-        , oauthAccessTokenEndpoint =
-            "https://www.googleapis.com/oauth2/v3/token"
-        , oauthCallback = Nothing
+oauth2GoogleScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
+oauth2GoogleScoped =
+  oauth2GoogleScopedWidget [whamlet|Login via #{pluginName}|]
+
+oauth2GoogleScopedWidget
+  :: YesodAuth m => WidgetFor m () -> [Text] -> Text -> Text -> AuthPlugin m
+oauth2GoogleScopedWidget widget scopes clientId clientSecret =
+  authOAuth2Widget widget pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://www.googleapis.com/oauth2/v3/userinfo"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://accounts.google.com/o/oauth2/auth"
+            `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = "https://www.googleapis.com/oauth2/v3/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/Nylas.hs
+++ b/src/Yesod/Auth/OAuth2/Nylas.hs
@ -1,9 +1,8 @@
 {-# LANGUAGE OverloadedStrings #-}

 module Yesod.Auth.OAuth2.Nylas
-    ( oauth2Nylas
-    )
-where
+  ( oauth2Nylas
+  ) where

 import Yesod.Auth.OAuth2.Prelude

@ -16,7 +15,7 @@ import qualified Yesod.Auth.OAuth2.Exception as YesodOAuth2Exception
 newtype User = User Text

 instance FromJSON User where
-    parseJSON = withObject "User" $ \o -> User <$> o .: "id"
+  parseJSON = withObject "User" $ \o -> User <$> o .: "id"

 pluginName :: Text
 pluginName = "nylas"
@ -26,44 +25,46 @@ defaultScopes = ["email"]

 oauth2Nylas :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2Nylas clientId clientSecret =
-    authOAuth2 pluginName oauth $ \manager token -> do
-        req <- applyBasicAuth (encodeUtf8 $ atoken $ accessToken token) ""
-            <$> parseRequest "https://api.nylas.com/account"
-        resp <- httpLbs req manager
-        let userResponse = responseBody resp
+  authOAuth2 pluginName oauth $ \manager token -> do
+    req <-
+      applyBasicAuth (encodeUtf8 $ atoken $ accessToken token) ""
+        <$> parseRequest "https://api.nylas.com/account"
+    resp <- httpLbs req manager
+    let userResponse = responseBody resp

-        -- FIXME: was this working? I'm 95% sure that the client will throw its
-        -- own exception on unsuccessful status codes.
-        unless (HT.statusIsSuccessful $ responseStatus resp)
-            $ throwIO
-            $ YesodOAuth2Exception.GenericError pluginName
-            $ "Unsuccessful HTTP response: "
+    -- FIXME: was this working? I'm 95% sure that the client will throw its
+    -- own exception on unsuccessful status codes.
+    unless (HT.statusIsSuccessful $ responseStatus resp) $
+      throwIO $
+        YesodOAuth2Exception.GenericError pluginName $
+          "Unsuccessful HTTP response: "
            <> BL8.unpack userResponse

-        either
-                (throwIO . YesodOAuth2Exception.JSONDecodingError pluginName)
-                (\(User userId) -> pure Creds
-                    { credsPlugin = pluginName
-                    , credsIdent = userId
-                    , credsExtra = setExtra token userResponse
-                    }
-                )
-            $ eitherDecode userResponse
-  where
-    oauth = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            "https://api.nylas.com/oauth/authorize"
-                `withQuery` [ ("response_type", "code")
-                            , ( "client_id"
-                              , encodeUtf8 clientId
-                              )
-            -- N.B. The scopes delimeter is unknown/untested. Verify that before
-            -- extracting this to an argument and offering a Scoped function. In
-            -- its current state, it doesn't matter because it's only one scope.
-                            , scopeParam "," defaultScopes
-                            ]
-        , oauthAccessTokenEndpoint = "https://api.nylas.com/oauth/token"
-        , oauthCallback = Nothing
-        }
+    either
+      (throwIO . YesodOAuth2Exception.JSONDecodingError pluginName)
+      ( \(User userId) ->
+          pure
+            Creds
+              { credsPlugin = pluginName
+              , credsIdent = userId
+              , credsExtra = setExtra token userResponse
+              }
+      )
+      $ eitherDecode userResponse
+ where
+  oauth =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://api.nylas.com/oauth/authorize"
+            `withQuery` [ ("response_type", "code")
+                        , ("client_id", encodeUtf8 clientId)
+                        , -- N.B. The scopes delimeter is unknown/untested. Verify that before
+                          -- extracting this to an argument and offering a Scoped function. In
+                          -- its current state, it doesn't matter because it's only one scope.
+                          scopeParam "," defaultScopes
+                        ]
+      , oauth2TokenEndpoint = "https://api.nylas.com/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/ORCID.hs
+++ b/src/Yesod/Auth/OAuth2/ORCID.hs
@ -0,0 +1,50 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+module Yesod.Auth.OAuth2.ORCID
+  ( oauth2ORCID
+  ) where
+
+import qualified Data.Text as T
+import Yesod.Auth.OAuth2.Prelude
+
+pluginName :: Text
+pluginName = "orcid"
+
+newtype User = User Text
+
+instance FromJSON User where
+  parseJSON = withObject "User" $ \o -> User <$> o .: "sub"
+
+oauth2ORCID
+  :: YesodAuth m
+  => Text
+  -- ^ Client Id
+  -> Text
+  -- ^ Client Secret
+  -> AuthPlugin m
+oauth2ORCID clientId clientSecret =
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://orcid.org/oauth/userinfo"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
+        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://orcid.org/oauth/authorize"
+            `withQuery` [scopeParam " " ["openid"]]
+      , oauth2TokenEndpoint = "https://orcid.org/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/Prelude.hs
+++ b/src/Yesod/Auth/OAuth2/Prelude.hs
@ -1,61 +1,63 @@
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE TupleSections #-}
+
 -- |
 --
 -- Modules and support functions required by most or all provider
 -- implementations. May also be useful for writing local providers.
--
 module Yesod.Auth.OAuth2.Prelude
-    (
-      -- * Provider helpers
-      authGetProfile
-    , scopeParam
-    , setExtra
+  ( authGetProfile
+  , scopeParam
+  , setExtra

    -- * Text
-    , Text
-    , decodeUtf8
-    , encodeUtf8
+  , Text
+  , decodeUtf8
+  , encodeUtf8

    -- * JSON
-    , (.:)
-    , (.:?)
-    , (.=)
-    , (<>)
-    , FromJSON(..)
-    , ToJSON(..)
-    , eitherDecode
-    , withObject
+  , (.:)
+  , (.:?)
+  , (.=)
+  , (<>)
+  , FromJSON (..)
+  , ToJSON (..)
+  , eitherDecode
+  , withObject

    -- * Exceptions
-    , throwIO
+  , throwIO

    -- * OAuth2
-    , OAuth2(..)
-    , OAuth2Token(..)
-    , AccessToken(..)
-    , RefreshToken(..)
+  , OAuth2 (..)
+  , TokenResponse
+  , accessToken
+  , refreshToken
+  , expiresIn
+  , tokenType
+  , idToken
+  , AccessToken (..)
+  , RefreshToken (..)

    -- * HTTP
-    , Manager
+  , Manager

    -- * Yesod
-    , YesodAuth(..)
-    , AuthPlugin(..)
-    , Creds(..)
+  , YesodAuth (..)
+  , AuthPlugin (..)
+  , Creds (..)

    -- * Bytestring URI types
-    , URI
-    , Host(..)
+  , URI
+  , Host (..)

    -- * Bytestring URI extensions
-    , module URI.ByteString.Extension
+  , module URI.ByteString.Extension

    -- * Temporary, until I finish re-structuring modules
-    , authOAuth2
-    , authOAuth2Widget
-    )
-where
+  , authOAuth2
+  , authOAuth2Widget
+  ) where

 import Control.Exception.Safe
 import Data.Aeson
@ -65,7 +67,7 @@ import Data.Text (Text)
 import qualified Data.Text as T
 import Data.Text.Encoding
 import Network.HTTP.Conduit
-import Network.OAuth.OAuth2
+import Network.OAuth.OAuth2.Compat
 import URI.ByteString
 import URI.ByteString.Extension
 import Yesod.Auth
@ -77,34 +79,33 @@ import qualified Yesod.Auth.OAuth2.Exception as YesodOAuth2Exception
 -- The response should be parsed only far enough to read the required
 -- @'credsIdent'@. Additional information should either be re-parsed by or
 -- fetched via additional requests by consumers.
--
 authGetProfile
-    :: FromJSON a
-    => Text
-    -> Manager
-    -> OAuth2Token
-    -> URI
-    -> IO (a, BL.ByteString)
+  :: FromJSON a
+  => Text
+  -> Manager
+  -> TokenResponse
+  -> URI
+  -> IO (a, BL.ByteString)
 authGetProfile name manager token url = do
-    resp <- fromAuthGet name =<< authGetBS manager (accessToken token) url
-    decoded <- fromAuthJSON name resp
-    pure (decoded, resp)
+  resp <- fromAuthGet name =<< authGetBS manager (accessToken token) url
+  decoded <- fromAuthJSON name resp
+  pure (decoded, resp)

 -- | Throws a @Left@ result as an @'YesodOAuth2Exception'@
 fromAuthGet :: Text -> Either BL.ByteString BL.ByteString -> IO BL.ByteString
 fromAuthGet _ (Right bs) = pure bs -- nice
 fromAuthGet name (Left err) =
-    throwIO $ YesodOAuth2Exception.OAuth2Error name err
+  throwIO $ YesodOAuth2Exception.OAuth2Error name err

 -- | Throws a decoding error as an @'YesodOAuth2Exception'@
 fromAuthJSON :: FromJSON a => Text -> BL.ByteString -> IO a
 fromAuthJSON name =
-    either (throwIO . YesodOAuth2Exception.JSONDecodingError name) pure
-        . eitherDecode
+  either (throwIO . YesodOAuth2Exception.JSONDecodingError name) pure
+    . eitherDecode

 -- | A tuple of @\"scope\"@ and the given scopes separated by a delimiter
 scopeParam :: Text -> [Text] -> (ByteString, ByteString)
-scopeParam d = ("scope", ) . encodeUtf8 . T.intercalate d
+scopeParam d = ("scope",) . encodeUtf8 . T.intercalate d

 -- brittany-disable-next-binding

@ -118,10 +119,9 @@ scopeParam d = ("scope", ) . encodeUtf8 . T.intercalate d
 -- May set the following keys:
 --
 -- - @refreshToken@: if the provider supports refreshing the @accessToken@
--
-setExtra :: OAuth2Token -> BL.ByteString -> [(Text, Text)]
+setExtra :: TokenResponse -> BL.ByteString -> [(Text, Text)]
 setExtra token userResponse =
-    [ ("accessToken", atoken $ accessToken token)
-    , ("userResponse", decodeUtf8 $ BL.toStrict userResponse)
-    ]
-    <> maybe [] (pure . ("refreshToken", ) . rtoken) (refreshToken token)
+  [ ("accessToken", atoken $ accessToken token)
+  , ("userResponse", decodeUtf8 $ BL.toStrict userResponse)
+  ]
+    <> maybe [] (pure . ("refreshToken",) . rtoken) (refreshToken token)
--- a/src/Yesod/Auth/OAuth2/Random.hs
+++ b/src/Yesod/Auth/OAuth2/Random.hs
@ -0,0 +1,19 @@
+{-# LANGUAGE TypeApplications #-}
+
+module Yesod.Auth.OAuth2.Random
+  ( randomText
+  ) where
+
+import Crypto.Random (MonadRandom, getRandomBytes)
+import Data.ByteArray.Encoding (Base (Base64), convertToBase)
+import Data.ByteString (ByteString)
+import Data.Text (Text)
+import Data.Text.Encoding (decodeUtf8)
+
+randomText
+  :: MonadRandom m
+  => Int
+  -- ^ Size in Bytes (not necessarily characters)
+  -> m Text
+randomText size =
+  decodeUtf8 . convertToBase @ByteString Base64 <$> getRandomBytes size
--- a/src/Yesod/Auth/OAuth2/Salesforce.hs
+++ b/src/Yesod/Auth/OAuth2/Salesforce.hs
@ -1,25 +1,24 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 --
 -- OAuth2 plugin for http://login.salesforce.com
 --
 -- * Authenticates against Salesforce (or sandbox)
 -- * Uses Salesforce user id as credentials identifier
--
 module Yesod.Auth.OAuth2.Salesforce
-    ( oauth2Salesforce
-    , oauth2SalesforceScoped
-    , oauth2SalesforceSandbox
-    , oauth2SalesforceSandboxScoped
-    )
-where
+  ( oauth2Salesforce
+  , oauth2SalesforceScoped
+  , oauth2SalesforceSandbox
+  , oauth2SalesforceSandboxScoped
+  ) where

 import Yesod.Auth.OAuth2.Prelude

 newtype User = User Text

 instance FromJSON User where
-    parseJSON = withObject "User" $ \o -> User <$> o .: "user_id"
+  parseJSON = withObject "User" $ \o -> User <$> o .: "user_id"

 pluginName :: Text
 pluginName = "salesforce"
@ -31,7 +30,8 @@ oauth2Salesforce :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2Salesforce = oauth2SalesforceScoped defaultScopes

 oauth2SalesforceScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
-oauth2SalesforceScoped = salesforceHelper
+oauth2SalesforceScoped =
+  salesforceHelper
    pluginName
    "https://login.salesforce.com/services/oauth2/userinfo"
    "https://login.salesforce.com/services/oauth2/authorize"
@ -41,42 +41,43 @@ oauth2SalesforceSandbox :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2SalesforceSandbox = oauth2SalesforceSandboxScoped defaultScopes

 oauth2SalesforceSandboxScoped
-    :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
-oauth2SalesforceSandboxScoped = salesforceHelper
+  :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
+oauth2SalesforceSandboxScoped =
+  salesforceHelper
    (pluginName <> "-sandbox")
    "https://test.salesforce.com/services/oauth2/userinfo"
    "https://test.salesforce.com/services/oauth2/authorize"
    "https://test.salesforce.com/services/oauth2/token"

 salesforceHelper
-    :: YesodAuth m
-    => Text
-    -> URI -- ^ User profile
-    -> URI -- ^ Authorize
-    -> URI -- ^ Token
-    -> [Text]
-    -> Text
-    -> Text
-    -> AuthPlugin m
-salesforceHelper name profileUri authorizeUri tokenUri scopes clientId clientSecret
-    = authOAuth2 name oauth2 $ \manager token -> do
-        (User userId, userResponse) <- authGetProfile
-            name
-            manager
-            token
-            profileUri
+  :: YesodAuth m
+  => Text
+  -> URI
+  -- ^ User profile
+  -> URI
+  -- ^ Authorize
+  -> URI
+  -- ^ Token
+  -> [Text]
+  -> Text
+  -> Text
+  -> AuthPlugin m
+salesforceHelper name profileUri authorizeUri tokenUri scopes clientId clientSecret =
+  authOAuth2 name oauth2 $ \manager token -> do
+    (User userId, userResponse) <- authGetProfile name manager token profileUri

-        pure Creds
-            { credsPlugin = pluginName
-            , credsIdent = userId
-            , credsExtra = setExtra token userResponse
-            }
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            authorizeUri `withQuery` [scopeParam " " scopes]
-        , oauthAccessTokenEndpoint = tokenUri
-        , oauthCallback = Nothing
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint = authorizeUri `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = tokenUri
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/Slack.hs
+++ b/src/Yesod/Auth/OAuth2/Slack.hs
@ -1,28 +1,31 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 -- OAuth2 plugin for https://slack.com/
 --
 -- * Authenticates against slack
 -- * Uses slack user id as credentials identifier
--
 module Yesod.Auth.OAuth2.Slack
-    ( SlackScope(..)
-    , oauth2Slack
-    , oauth2SlackScoped
-    )
-where
+  ( SlackScope (..)
+  , oauth2Slack
+  , oauth2SlackScoped
+  ) where

 import Yesod.Auth.OAuth2.Prelude

 import Network.HTTP.Client
-    (httpLbs, parseUrlThrow, responseBody, setQueryString)
+  ( httpLbs
+  , parseUrlThrow
+  , responseBody
+  , setQueryString
+  )
 import Yesod.Auth.OAuth2.Exception as YesodOAuth2Exception

 data SlackScope
-    = SlackBasicScope
-    | SlackEmailScope
-    | SlackTeamScope
-    | SlackAvatarScope
+  = SlackBasicScope
+  | SlackEmailScope
+  | SlackTeamScope
+  | SlackAvatarScope

 scopeText :: SlackScope -> Text
 scopeText SlackBasicScope = "identity.basic"
@ -33,9 +36,9 @@ scopeText SlackAvatarScope = "identity.avatar"
 newtype User = User Text

 instance FromJSON User where
-    parseJSON = withObject "User" $ \root -> do
-        o <- root .: "user"
-        User <$> o .: "id"
+  parseJSON = withObject "User" $ \root -> do
+    o <- root .: "user"
+    User <$> o .: "id"

 pluginName :: Text
 pluginName = "slack"
@ -46,30 +49,35 @@ defaultScopes = [SlackBasicScope]
 oauth2Slack :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2Slack = oauth2SlackScoped defaultScopes

-oauth2SlackScoped :: YesodAuth m => [SlackScope] -> Text -> Text -> AuthPlugin m
+oauth2SlackScoped
+  :: YesodAuth m => [SlackScope] -> Text -> Text -> AuthPlugin m
 oauth2SlackScoped scopes clientId clientSecret =
-    authOAuth2 pluginName oauth2 $ \manager token -> do
-        let param = encodeUtf8 $ atoken $ accessToken token
-        req <- setQueryString [("token", Just param)]
-            <$> parseUrlThrow "https://slack.com/api/users.identity"
-        userResponse <- responseBody <$> httpLbs req manager
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    let param = encodeUtf8 $ atoken $ accessToken token
+    req <-
+      setQueryString [("token", Just param)]
+        <$> parseUrlThrow "https://slack.com/api/users.identity"
+    userResponse <- responseBody <$> httpLbs req manager

-        either
-                (throwIO . YesodOAuth2Exception.JSONDecodingError pluginName)
-                (\(User userId) -> pure Creds
-                    { credsPlugin = pluginName
-                    , credsIdent = userId
-                    , credsExtra = setExtra token userResponse
-                    }
-                )
-            $ eitherDecode userResponse
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            "https://slack.com/oauth/authorize"
-                `withQuery` [scopeParam "," $ map scopeText scopes]
-        , oauthAccessTokenEndpoint = "https://slack.com/api/oauth.access"
-        , oauthCallback = Nothing
-        }
+    either
+      (throwIO . YesodOAuth2Exception.JSONDecodingError pluginName)
+      ( \(User userId) ->
+          pure
+            Creds
+              { credsPlugin = pluginName
+              , credsIdent = userId
+              , credsExtra = setExtra token userResponse
+              }
+      )
+      $ eitherDecode userResponse
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://slack.com/oauth/authorize"
+            `withQuery` [scopeParam "," $ map scopeText scopes]
+      , oauth2TokenEndpoint = "https://slack.com/api/oauth.access"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/Spotify.hs
+++ b/src/Yesod/Auth/OAuth2/Spotify.hs
@ -1,44 +1,46 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 --
 -- OAuth2 plugin for http://spotify.com
--
 module Yesod.Auth.OAuth2.Spotify
-    ( oauth2Spotify
-    )
-where
+  ( oauth2Spotify
+  ) where

 import Yesod.Auth.OAuth2.Prelude

 newtype User = User Text

 instance FromJSON User where
-    parseJSON = withObject "User" $ \o -> User <$> o .: "id"
+  parseJSON = withObject "User" $ \o -> User <$> o .: "id"

 pluginName :: Text
 pluginName = "spotify"

 oauth2Spotify :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
 oauth2Spotify scopes clientId clientSecret =
-    authOAuth2 pluginName oauth2 $ \manager token -> do
-        (User userId, userResponse) <- authGetProfile
-            pluginName
-            manager
-            token
-            "https://api.spotify.com/v1/me"
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://api.spotify.com/v1/me"

-        pure Creds
-            { credsPlugin = pluginName
-            , credsIdent = userId
-            , credsExtra = setExtra token userResponse
-            }
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            "https://accounts.spotify.com/authorize"
-                `withQuery` [scopeParam " " scopes]
-        , oauthAccessTokenEndpoint = "https://accounts.spotify.com/api/token"
-        , oauthCallback = Nothing
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://accounts.spotify.com/authorize"
+            `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint = "https://accounts.spotify.com/api/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/Twitch.hs
+++ b/src/Yesod/Auth/OAuth2/Twitch.hs
@ -0,0 +1,62 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+-- |
+--
+-- OAuth2 plugin for http://twitch.tv
+--
+-- * Authenticates against twitch
+-- * Uses twitch user id as credentials identifier
+module Yesod.Auth.OAuth2.Twitch
+  ( oauth2Twitch
+  , oauth2TwitchScoped
+  ) where
+
+import Yesod.Auth.OAuth2.Prelude
+
+import qualified Data.Text.Encoding as T
+
+newtype User = User Text
+
+instance FromJSON User where
+  parseJSON = withObject "User" $ \o -> User <$> o .: "user_id"
+
+pluginName :: Text
+pluginName = "twitch"
+
+defaultScopes :: [Text]
+defaultScopes = ["user:read:email"]
+
+oauth2Twitch :: YesodAuth m => Text -> Text -> AuthPlugin m
+oauth2Twitch = oauth2TwitchScoped defaultScopes
+
+oauth2TwitchScoped :: YesodAuth m => [Text] -> Text -> Text -> AuthPlugin m
+oauth2TwitchScoped scopes clientId clientSecret =
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://id.twitch.tv/oauth2/validate"
+
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = userId
+        , credsExtra = setExtra token userResponse
+        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://id.twitch.tv/oauth2/authorize"
+            `withQuery` [scopeParam " " scopes]
+      , oauth2TokenEndpoint =
+          "https://id.twitch.tv/oauth2/token"
+            `withQuery` [ ("client_id", T.encodeUtf8 clientId)
+                        , ("client_secret", T.encodeUtf8 clientSecret)
+                        ]
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/Upcase.hs
+++ b/src/Yesod/Auth/OAuth2/Upcase.hs
@ -1,15 +1,14 @@
 {-# LANGUAGE OverloadedStrings #-}
+
 -- |
 --
 -- OAuth2 plugin for http://upcase.com
 --
 -- * Authenticates against upcase
 -- * Uses upcase user id as credentials identifier
--
 module Yesod.Auth.OAuth2.Upcase
-    ( oauth2Upcase
-    )
-where
+  ( oauth2Upcase
+  ) where

 import Yesod.Auth.OAuth2.Prelude

@ -18,32 +17,35 @@ import qualified Data.Text as T
 newtype User = User Int

 instance FromJSON User where
-    parseJSON = withObject "User" $ \root -> do
-        o <- root .: "user"
-        User <$> o .: "id"
+  parseJSON = withObject "User" $ \root -> do
+    o <- root .: "user"
+    User <$> o .: "id"

 pluginName :: Text
 pluginName = "upcase"

 oauth2Upcase :: YesodAuth m => Text -> Text -> AuthPlugin m
 oauth2Upcase clientId clientSecret =
-    authOAuth2 pluginName oauth2 $ \manager token -> do
-        (User userId, userResponse) <- authGetProfile
-            pluginName
-            manager
-            token
-            "http://upcase.com/api/v1/me.json"
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (User userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "http://upcase.com/api/v1/me.json"

-        pure Creds
-            { credsPlugin = pluginName
-            , credsIdent = T.pack $ show userId
-            , credsExtra = setExtra token userResponse
-            }
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint = "http://upcase.com/oauth/authorize"
-        , oauthAccessTokenEndpoint = "http://upcase.com/oauth/token"
-        , oauthCallback = Nothing
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint = "http://upcase.com/oauth/authorize"
+      , oauth2TokenEndpoint = "http://upcase.com/oauth/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/src/Yesod/Auth/OAuth2/WordPressDotCom.hs
+++ b/src/Yesod/Auth/OAuth2/WordPressDotCom.hs
@ -1,9 +1,8 @@
 {-# LANGUAGE OverloadedStrings #-}

 module Yesod.Auth.OAuth2.WordPressDotCom
-    ( oauth2WordPressDotCom
-    )
-where
+  ( oauth2WordPressDotCom
+  ) where

 import qualified Data.Text as T
 import Yesod.Auth.OAuth2.Prelude
@ -14,35 +13,38 @@ pluginName = "WordPress.com"
 newtype WpUser = WpUser Int

 instance FromJSON WpUser where
-    parseJSON = withObject "WpUser" $ \o -> WpUser <$> o .: "ID"
+  parseJSON = withObject "WpUser" $ \o -> WpUser <$> o .: "ID"

 oauth2WordPressDotCom
-    :: (YesodAuth m)
-    => Text -- ^ Client Id
-    -> Text -- ^ Client Secret
-    -> AuthPlugin m
+  :: YesodAuth m
+  => Text
+  -- ^ Client Id
+  -> Text
+  -- ^ Client Secret
+  -> AuthPlugin m
 oauth2WordPressDotCom clientId clientSecret =
-    authOAuth2 pluginName oauth2 $ \manager token -> do
-        (WpUser userId, userResponse) <- authGetProfile
-            pluginName
-            manager
-            token
-            "https://public-api.wordpress.com/rest/v1/me/"
+  authOAuth2 pluginName oauth2 $ \manager token -> do
+    (WpUser userId, userResponse) <-
+      authGetProfile
+        pluginName
+        manager
+        token
+        "https://public-api.wordpress.com/rest/v1/me/"

-        pure Creds
-            { credsPlugin = pluginName
-            , credsIdent = T.pack $ show userId
-            , credsExtra = setExtra token userResponse
-            }
-
-  where
-    oauth2 = OAuth2
-        { oauthClientId = clientId
-        , oauthClientSecret = Just clientSecret
-        , oauthOAuthorizeEndpoint =
-            "https://public-api.wordpress.com/oauth2/authorize"
-                `withQuery` [scopeParam "," ["auth"]]
-        , oauthAccessTokenEndpoint =
-            "https://public-api.wordpress.com/oauth2/token"
-        , oauthCallback = Nothing
+    pure
+      Creds
+        { credsPlugin = pluginName
+        , credsIdent = T.pack $ show userId
+        , credsExtra = setExtra token userResponse
        }
+ where
+  oauth2 =
+    OAuth2
+      { oauth2ClientId = clientId
+      , oauth2ClientSecret = clientSecret
+      , oauth2AuthorizeEndpoint =
+          "https://public-api.wordpress.com/oauth2/authorize"
+            `withQuery` [scopeParam "," ["auth"]]
+      , oauth2TokenEndpoint = "https://public-api.wordpress.com/oauth2/token"
+      , oauth2RedirectUri = Nothing
+      }
--- a/stack-lts-13.2.yaml
+++ b/stack-lts-13.2.yaml
@ -1,11 +0,0 @@
---
-resolver: lts-13.2
-
-extra-deps:
-  - hoauth2-1.14.0@sha256:fcb4284fc78950c91d5b548317c51bd99a5ced84f4bb9e6153624b5783e4215f,5628
-
-# Fix for weeder with stack-2
-ghc-options:
-  "$locals":
-    -ddump-to-file
-    -ddump-hi
--- a/stack-lts-13.2.yaml.lock
+++ b/stack-lts-13.2.yaml.lock
@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: hoauth2-1.14.0@sha256:fcb4284fc78950c91d5b548317c51bd99a5ced84f4bb9e6153624b5783e4215f,5628
-    pantry-tree:
-      size: 2046
-      sha256: f25e2c2c101312196159dad5a3e2a4c8f549ed2d036d9566b66786d758db7dba
-  original:
-    hackage: hoauth2-1.14.0@sha256:fcb4284fc78950c91d5b548317c51bd99a5ced84f4bb9e6153624b5783e4215f,5628
-snapshots:
- completed:
-    size: 492864
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/13/2.yaml
-    sha256: 586534518d3e7be8617d97ea296f05f497c0b4bb006f100367d66f5c45ae6268
-  original: lts-13.2
--- a/stack-lts-16.10.yaml
+++ b/stack-lts-16.10.yaml
@ -1,8 +0,0 @@
---
-resolver: lts-16.10
-
-# Fix for weeder with stack-2
-ghc-options:
-  "$locals":
-    -ddump-to-file
-    -ddump-hi
--- a/stack-lts-16.10.yaml.lock
+++ b/stack-lts-16.10.yaml.lock
@ -1,12 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages: []
-snapshots:
- completed:
-    size: 532383
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/16/10.yaml
-    sha256: 469d781ab6d2a4eceed6b31b6e4ec842dcd3cd1d11577972e86902603dce24df
-  original: lts-16.10
--- a/stack-lts21.yaml
+++ b/stack-lts21.yaml
@ -0,0 +1 @@
+resolver: lts-21.25
--- a/stack-lts22.yaml
+++ b/stack-lts22.yaml
@ -0,0 +1 @@
+resolver: lts-22.44
--- a/stack-lts23.yaml
+++ b/stack-lts23.yaml
@ -0,0 +1 @@
+resolver: lts-23.28
--- a/stack-lts24.yaml
+++ b/stack-lts24.yaml
@ -0,0 +1 @@
+resolver: lts-24.26
--- a/stack-nightly.yaml
+++ b/stack-nightly.yaml
@ -1,14 +1,4 @@
-# Overridden by --resolver on CI
-resolver: nightly-2020-08-19
+resolver: nightly-2026-01-05
 extra-deps:
-  - yesod-auth-1.6.10@sha256:c1d923621306c6a625553fd02ab805619de405707f22eb09c9b0c0f3c9e7bd0c,3038
-
-  # for yesod-auth
-  - yesod-form-1.6.7@sha256:b216bb4eb0575d4fcc497b1d7f47edf25fc9035ab3ae8b77bf7fcbedc15dd2ea,3350
-  - yesod-persistent-1.6.0.4@sha256:4e8d00ca5e347bb8efa246ec272200f71597c62369dbbf66bb50216968b8f926,1692
-
-  # for yesod-persistent
-  - persistent-template-2.8.3.1@sha256:83ea6047a52ad0379ad958e6126ff289021238ed0ae4f9cf8edb8e094524f2a3,2774
-
-# Because persistent-template requires persistent >= 2.11, which does not exist
-allow-newer: true
+  - cryptonite-0.30
+  - yesod-auth-1.6.11.3
--- a/stack-nightly.yaml.lock
+++ b/stack-nightly.yaml.lock
@ -1,19 +0,0 @@
-# This file was autogenerated by Stack.
-# You should not edit this file by hand.
-# For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
-
-packages:
- completed:
-    hackage: hoauth2-1.8.9@sha256:63929253f6cdeb096a369980d2acf0d7eedd0c98ac46f962f717c56b724069a4,5734
-    pantry-tree:
-      size: 1986
-      sha256: 1c2901e88e82128b1e7f46e4b58eaeec779a630f0e30eb8bc226cb8ebb521bf8
-  original:
-    hackage: hoauth2-1.8.9@sha256:63929253f6cdeb096a369980d2acf0d7eedd0c98ac46f962f717c56b724069a4,5734
-snapshots:
- completed:
-    size: 434661
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/nightly/2019/11/29.yaml
-    sha256: 9edba401b588c0b8359262043b51f0bd33e2334802f0a1467eb660a23601eaf6
-  original: nightly-2019-11-29
--- a/stack.yaml
+++ b/stack.yaml
@ -1,8 +0,0 @@
---
-resolver: lts-16.10
-
-# Fix for weeder with stack-2
-ghc-options:
-  "$locals":
-    -ddump-to-file
-    -ddump-hi
--- a/stack.yaml
+++ b/stack.yaml
@ -0,0 +1 @@
+stack-lts24.yaml
--- a/stack.yaml.lock
+++ b/stack.yaml.lock
@ -1,12 +1,12 @@
 # This file was autogenerated by Stack.
 # You should not edit this file by hand.
 # For more information, please see the documentation at:
-#   https://docs.haskellstack.org/en/stable/lock_files
+#   https://docs.haskellstack.org/en/stable/topics/lock_files

 packages: []
 snapshots:
 - completed:
-    size: 532383
-    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/16/10.yaml
-    sha256: 469d781ab6d2a4eceed6b31b6e4ec842dcd3cd1d11577972e86902603dce24df
-  original: lts-16.10
+    sha256: d90eb1418667a225998b173817300e5ae2e1500ed03c0a9457cc2a0e78a0122a
+    size: 726337
+    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/24/26.yaml
+  original: lts-24.26
--- a/test/URI/ByteString/ExtensionSpec.hs
+++ b/test/URI/ByteString/ExtensionSpec.hs
@ -1,8 +1,9 @@
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE QuasiQuotes #-}
+
 module URI.ByteString.ExtensionSpec
-    ( spec
-    ) where
+  ( spec
+  ) where

 import Test.Hspec

@ -14,65 +15,66 @@ import URI.ByteString.QQ

 spec :: Spec
 spec = do
-    describe "IsString Scheme" $ it "works" $ do
-        "https" `shouldBe` Scheme "https"
+  describe "IsString Scheme" $ it "works" $ do
+    "https" `shouldBe` Scheme "https"

-    describe "IsString Host" $ it "works" $ do
-        "example.com" `shouldBe` Host "example.com"
+  describe "IsString Host" $ it "works" $ do
+    "example.com" `shouldBe` Host "example.com"

-    describe "IsString URIRef Relative" $ it "works" $ do
-        "example.com/foo?bar=baz"
-            `shouldBe` [relativeRef|example.com/foo?bar=baz|]
+  describe "IsString URIRef Relative" $ it "works" $ do
+    "example.com/foo?bar=baz" `shouldBe` [relativeRef|example.com/foo?bar=baz|]

-    describe "IsString URIRef Absolute" $ it "works" $ do
-        "https://example.com/foo?bar=baz"
-            `shouldBe` [uri|https://example.com/foo?bar=baz|]
+  describe "IsString URIRef Absolute" $ it "works" $ do
+    "https://example.com/foo?bar=baz"
+      `shouldBe` [uri|https://example.com/foo?bar=baz|]

-    describe "fromText" $ do
-        it "returns Just a URI for valid values, as the quasi-quoter would" $ do
-            fromText "http://example.com/foo?bar=baz"
-                `shouldBe` Just [uri|http://example.com/foo?bar=baz|]
+  describe "fromText" $ do
+    it "returns Just a URI for valid values, as the quasi-quoter would" $ do
+      fromText "http://example.com/foo?bar=baz"
+        `shouldBe` Just [uri|http://example.com/foo?bar=baz|]

-        it "returns Nothing for invalid values" $ do
-            fromText "Oh my, what did I do?" `shouldBe` Nothing
+    it "returns Nothing for invalid values" $ do
+      fromText "Oh my, what did I do?" `shouldBe` Nothing

-    describe "unsafeFromText" $ do
-        it "returns a URI for valid values, as the quasi-quoter would" $ do
-            unsafeFromText "http://example.com/foo?bar=baz"
-                `shouldBe` [uri|http://example.com/foo?bar=baz|]
+  describe "unsafeFromText" $ do
+    it "returns a URI for valid values, as the quasi-quoter would" $ do
+      unsafeFromText "http://example.com/foo?bar=baz"
+        `shouldBe` [uri|http://example.com/foo?bar=baz|]

-        it "raises for invalid values" $ do
-            evaluate (unsafeFromText "Oh my, what did I do?")
-                `shouldThrow` errorContaining "MissingColon"
+    it "raises for invalid values" $ do
+      evaluate (unsafeFromText "Oh my, what did I do?")
+        `shouldThrow` errorContaining "MissingColon"

-    describe "toText" $ do
-        it "serializes the URI to text" $ do
-            toText [uri|https://example.com/foo?bar=baz|]
-                `shouldBe` "https://example.com/foo?bar=baz"
+  describe "toText" $ do
+    it "serializes the URI to text" $ do
+      toText [uri|https://example.com/foo?bar=baz|]
+        `shouldBe` "https://example.com/foo?bar=baz"

-    describe "fromRelative" $ do
-        it "makes a URI absolute with a given host" $ do
-            fromRelative "ftp" "foo.com" [relativeRef|/bar?baz=bat|]
-                `shouldBe` [uri|ftp://foo.com/bar?baz=bat|]
+  describe "fromRelative" $ do
+    it "makes a URI absolute with a given host" $ do
+      fromRelative "ftp" "foo.com" [relativeRef|/bar?baz=bat|]
+        `shouldBe` [uri|ftp://foo.com/bar?baz=bat|]

-    describe "withQuery" $ do
-        it "appends a query to a URI" $ do
-            let uriWithQuery = [uri|http://example.com|] `withQuery` [("foo", "bar")]
+  describe "withQuery" $ do
+    it "appends a query to a URI" $ do
+      let uriWithQuery = [uri|http://example.com|] `withQuery` [("foo", "bar")]

-            uriWithQuery `shouldBe` [uri|http://example.com?foo=bar|]
+      uriWithQuery `shouldBe` [uri|http://example.com?foo=bar|]

-        it "handles a URI with an existing query" $ do
-            let uriWithQuery = [uri|http://example.com?foo=bar|] `withQuery` [("baz", "bat")]
+    it "handles a URI with an existing query" $ do
+      let uriWithQuery =
+            [uri|http://example.com?foo=bar|] `withQuery` [("baz", "bat")]

-            uriWithQuery `shouldBe` [uri|http://example.com?foo=bar&baz=bat|]
+      uriWithQuery `shouldBe` [uri|http://example.com?foo=bar&baz=bat|]

-        -- This is arguably testing the internals of another package, but IMO
-        -- it's worthwhile to show that you don't (and can't) pre-sanitize when
-        -- using this function.
-        it "handles santization of the query" $ do
-            let uriWithQuery = [uri|http://example.com|] `withQuery` [("foo", "bar baz")]
+    -- This is arguably testing the internals of another package, but IMO
+    -- it's worthwhile to show that you don't (and can't) pre-sanitize when
+    -- using this function.
+    it "handles santization of the query" $ do
+      let uriWithQuery =
+            [uri|http://example.com|] `withQuery` [("foo", "bar baz")]

-            toText uriWithQuery `shouldBe` "http://example.com?foo=bar%20baz"
+      toText uriWithQuery `shouldBe` "http://example.com?foo=bar%20baz"

 errorContaining :: String -> Selector ErrorCall
 errorContaining msg = (msg `isInfixOf`) . show
--- a/yesod-auth-oauth2.cabal
+++ b/yesod-auth-oauth2.cabal
@ -0,0 +1,131 @@
+cabal-version: 1.18
+
+-- This file has been generated from package.yaml by hpack version 0.38.1.
+--
+-- see: https://github.com/sol/hpack
+--
+-- hash: d595b9569ed34feddc8c41cf6f1f8cabbd8a37fa14b6afeeb24ad651ca689011
+
+name:           yesod-auth-oauth2
+version:        0.8.0.0
+synopsis:       OAuth 2.0 authentication plugins
+description:    Library to authenticate with OAuth 2.0 for Yesod web applications.
+category:       Web
+homepage:       http://github.com/freckle/yesod-auth-oauth2
+bug-reports:    https://github.com/freckle/yesod-auth-oauth2/issues
+author:         Tom Streller,
+                Patrick Brisbin,
+                Freckle Engineering
+maintainer:     engineering@freckle.com
+license:        MIT
+license-file:   LICENSE
+build-type:     Simple
+extra-doc-files:
+    README.md
+    CHANGELOG.md
+
+source-repository head
+  type: git
+  location: https://github.com/freckle/yesod-auth-oauth2
+
+flag example
+  description: Build the example application
+  manual: False
+  default: False
+
+library
+  exposed-modules:
+      Network.OAuth.OAuth2.Compat
+      UnliftIO.Except
+      URI.ByteString.Extension
+      Yesod.Auth.OAuth2
+      Yesod.Auth.OAuth2.Auth0
+      Yesod.Auth.OAuth2.AzureAD
+      Yesod.Auth.OAuth2.AzureADv2
+      Yesod.Auth.OAuth2.BattleNet
+      Yesod.Auth.OAuth2.Bitbucket
+      Yesod.Auth.OAuth2.ClassLink
+      Yesod.Auth.OAuth2.Dispatch
+      Yesod.Auth.OAuth2.DispatchError
+      Yesod.Auth.OAuth2.ErrorResponse
+      Yesod.Auth.OAuth2.EveOnline
+      Yesod.Auth.OAuth2.Exception
+      Yesod.Auth.OAuth2.GitHub
+      Yesod.Auth.OAuth2.GitLab
+      Yesod.Auth.OAuth2.Google
+      Yesod.Auth.OAuth2.Nylas
+      Yesod.Auth.OAuth2.ORCID
+      Yesod.Auth.OAuth2.Prelude
+      Yesod.Auth.OAuth2.Random
+      Yesod.Auth.OAuth2.Salesforce
+      Yesod.Auth.OAuth2.Slack
+      Yesod.Auth.OAuth2.Spotify
+      Yesod.Auth.OAuth2.Twitch
+      Yesod.Auth.OAuth2.Upcase
+      Yesod.Auth.OAuth2.WordPressDotCom
+  other-modules:
+      Paths_yesod_auth_oauth2
+  hs-source-dirs:
+      src
+  ghc-options: -Wall
+  build-depends:
+      aeson >=0.6
+    , base >=4.9.0.0 && <5
+    , bytestring >=0.9.1.4
+    , crypton
+    , errors
+    , hoauth2 >=2.8.0
+    , http-client >=0.4.0
+    , http-conduit >=2.0
+    , http-types >=0.8
+    , memory
+    , microlens
+    , mtl
+    , safe-exceptions
+    , text >=0.7
+    , transformers
+    , unliftio
+    , uri-bytestring
+    , yesod-auth >=1.6.0
+    , yesod-core >=1.6.0
+  default-language: Haskell2010
+
+executable yesod-auth-oauth2-example
+  main-is: Main.hs
+  other-modules:
+      Paths_yesod_auth_oauth2
+  hs-source-dirs:
+      example
+  ghc-options: -Wall -threaded -rtsopts -with-rtsopts=-N
+  build-depends:
+      aeson >=0.6
+    , aeson-pretty
+    , base >=4.9.0.0 && <5
+    , bytestring >=0.9.1.4
+    , containers >=0.6.0.1
+    , http-conduit >=2.0
+    , load-env
+    , text >=0.7
+    , warp
+    , yesod
+    , yesod-auth >=1.6.0
+    , yesod-auth-oauth2
+  default-language: Haskell2010
+  if !(flag(example))
+    buildable: False
+
+test-suite test
+  type: exitcode-stdio-1.0
+  main-is: Spec.hs
+  other-modules:
+      URI.ByteString.ExtensionSpec
+      Paths_yesod_auth_oauth2
+  hs-source-dirs:
+      test
+  ghc-options: -Wall
+  build-depends:
+      base >=4.9.0.0 && <5
+    , hspec
+    , uri-bytestring
+    , yesod-auth-oauth2
+  default-language: Haskell2010