if ci_badges.map(&:color).detect { it != "green"} ☝️ let me know, as I may have missed the discord notification.
if ci_badges.map(&:color).all? { it == "green"} 👇️ send money so I can do more of this. FLOSS maintenance is now my full-time job.
👣 How will this project approach the September 2025 hostile takeover of RubyGems? 🚑️
I've summarized my thoughts in this blog post.
OAuth 1.0a is an industry-standard protocol for authorization. It is an update to the original OAuth 1.0 protocol, and is used by many popular services.
This is a RubyGem for implementing OAuth 1.0 or 1.0a clients and servers in Ruby applications.
See the sibling oauth2 gem for OAuth 2.0, 2.1, & OIDC clients in Ruby.
All dependencies of this gem are signed, so it can be installed with a HighSecurity profile.
- OAuth 1.0 Spec
- oauth-tty sibling gem is the OAuth 1.0 / 1.0a CLI.
- oauth2 sibling gem for OAuth 2.0 implementations in Ruby.
This gem targets the OAuth 1.0a behavior (the errata that became RFC 5849), while maintaining compatibility with providers that still behave like classic 1.0. Here are the key differences between the two and how this gem handles them:
- oauth_callback
- 1.0: Optional in practice; some providers accepted flows without it.
- 1.0a: Consumer SHOULD send oauth_callback when obtaining a Request Token, or explicitly use the out-of-band value "oob".
- This gem: If you do not pass oauth_callback, we default it to "oob" (OUT_OF_BAND). You can opt-out by passing exclude_callback: true.
- oauth_callback_confirmed
- 1.0: Not specified.
- 1.0a: Service Provider MUST return oauth_callback_confirmed=true with the Request Token response. This mitigates session fixation.
- This gem: Parses token responses but does not include oauth_callback_confirmed in the signature base string (it is a response param, not a signed request param).
- oauth_verifier
- 1.0: Not present.
- 1.0a: After the user authorizes, the Provider returns an oauth_verifier to the Consumer, and the Consumer MUST include it when exchanging the Request Token for an Access Token.
- This gem: Supports oauth_verifier across request helpers and request proxies; pass oauth_verifier to get_access_token in 3‑legged flows.
Practical guidance:
- For 3‑legged flows, always supply oauth_callback when calling consumer.get_request_token, and include oauth_verifier when calling request_token.get_access_token.
- For command‑line or non-HTTP clients, use the special OUT_OF_BAND value ("oob") as the oauth_callback and prompt the user to paste back the displayed verifier.
References: RFC 5849 (OAuth 1.0), sections 5–7; 1.0a security errata.
Ruby OAuth has been maintained by a large number of talented individuals over the years. The primary maintainer since 2020 is Peter Boling (@pboling).
| Tokens to Remember |   |
|---|---|
| Works with JRuby |      |
| Works with Truffle Ruby |       |
| Works with MRI Ruby 4 |    |
| Works with MRI Ruby 3 |      |
| Works with MRI Ruby 2 | -AABBCC?style=for-the-badge&logo=ruby&logoColor=white){kind=icon}     |
| Support & Community |     |
| Source |     |
| Documentation |      |
| Compliance |      |
| Style |     |
| Maintainer 🎖️ |      |
... 💖 |
    🧊 🐙 🛖 🧪 |
Compatible with MRI Ruby 2.3+, and concordant releases of JRuby, and TruffleRuby.
CI workflows and Appraisals are generated for MRI Ruby 2.4+.
This test floor is configured by ruby.test_minimum in .kettle-jem.yml and
may be higher than the gem's runtime compatibility floor when legacy Rubies are
not practical for the current toolchain.
| 🚚 Amazing test matrix was brought to you by | 🔎 appraisal2 🔎 and the color 💚 green 💚 |
|---|---|
| 👟 Check it out! | ✨ github.com/appraisal-rb/appraisal2 ✨ |
Find this repo on federated forges (Coming soon!)
| Federated DVCS Repository | Status | Issues | PRs | Wiki | CI | Discussions |
|---|---|---|---|---|---|---|
| 🧪 ruby-oauth/oauth on GitLab | The Truth | 💚 | 💚 | 💚 | 🐭 Tiny Matrix | ➖ |
| 🧊 ruby-oauth/oauth on CodeBerg | An Ethical Mirror (Donate) | 💚 | 💚 | ➖ | ⭕️ No Matrix | ➖ |
| 🐙 ruby-oauth/oauth on GitHub | Another Mirror | 💚 | 💚 | 💚 | 💯 Full Matrix | 💚 |
| 🎮️ Discord Server | |
Let's | talk | about | this | library! |
Available as part of the Tidelift Subscription.
Need enterprise-level guarantees?
The maintainers of this and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use.
- 💡Subscribe for support guarantees covering all your FLOSS dependencies
- 💡Tidelift is part of Sonar
- 💡Tidelift pays maintainers to maintain the software you depend on!
📊@Pointy Haired Boss: An enterprise support subscription is "never gonna let you down", and supports open source maintainers
Alternatively:
Install the gem and add to the application's Gemfile by executing:
bundle add oauthIf bundler is not being used to manage dependencies, install the gem by executing:
gem install oauthThis is a ruby library which is intended to be used in creating Ruby Consumer and Service Provider applications. It is NOT a Rails plugin, but could easily be used for the foundation for such a Rails plugin.
The main client entry point is OAuth::Consumer.new(consumer_key, consumer_secret, options).
Common options include:
:site- Provider origin, for examplehttps://provider.example.:request_token_path,:authorize_path,:authenticate_path,:access_token_path- Provider endpoint paths. Defaults are/oauth/request_token,/oauth/authorize,/oauth/authenticate, and/oauth/access_token.:request_token_url,:authorize_url,:access_token_url- Full endpoint URLs. Use these when endpoints are not all under the same:siteorigin.:scheme- Where OAuth parameters are sent::headerby default, or:body/:query_string.:http_method- HTTP method for token endpoint requests,:postby default.:signature_method- Signature method,HMAC-SHA1by default.:body_hash_enabled- Whether request body hashes are signed where applicable. Defaults totrue.:ca_file,:proxy,:debug_output- Net::HTTP transport options.:token_request_max_redirects- Maximum redirects followed while requesting OAuth tokens. Defaults to10.:token_request_cross_origin_redirects- Whether token requests may follow redirects to a different scheme, host, or effective port. Defaults tofalse; only enable this when the provider's token endpoints intentionally redirect across origins.
This gem was originally extracted from @pelle's oauth-plugin gem. After extraction that gem was made to depend on this gem.
Unfortunately, this gem does have some Rails related bits that are optional to load. You don't need Rails! The Rails bits may be pulled out into a separate gem with the 1.x minor updates of this gem.
For browser-based three-legged OAuth 1.0a flows, pass an explicit
oauth_callback URL when requesting the request token. If you do not pass
oauth_callback, this gem defaults it to "oob" (out of band), which is
intended for command-line and non-HTTP clients.
callback_url = "http://127.0.0.1:3000/oauth/callback"Create a new OAuth::Consumer instance by passing it a configuration hash:
oauth_consumer = OAuth::Consumer.new(
"consumer_key",
"consumer_secret",
site: "https://provider.example"
)Start the process by requesting a token:
request_token = oauth_consumer.get_request_token(oauth_callback: callback_url)
session[:token] = request_token.token
session[:token_secret] = request_token.secret
redirect_to request_token.authorize_urlWhen the user returns to your callback URL, rebuild the request token from the
values you stored and exchange it for an access token. OAuth 1.0a providers
return oauth_verifier in the callback, and it must be included in this
exchange.
hash = {oauth_token: session[:token], oauth_token_secret: session[:token_secret]}
request_token = OAuth::RequestToken.from_hash(oauth_consumer, hash)
access_token = request_token.get_access_token(oauth_verifier: params[:oauth_verifier])
@photos = access_token.get("/photos.xml")For OAuth 1.0 providers that do not use oauth_verifier, call
request_token.get_access_token without the verifier.
Now that you have an access token, you can use Typhoeus to interact with the OAuth provider if you choose.
require "typhoeus"
require "oauth/request_proxy/typhoeus_request"
uri = "https://provider.example/photos.xml"
options = {method: :get, headers: {}}
oauth_params = {consumer: oauth_consumer, token: access_token}
hydra = Typhoeus::Hydra.new
req = Typhoeus::Request.new(uri, options) # :method needs to be specified in options
oauth_helper = OAuth::Client::Helper.new(req, oauth_params.merge(request_uri: uri))
req.options[:headers] ||= {}
req.options[:headers]["Authorization"] = oauth_helper.header # Signs the request
hydra.queue(req)
hydra.run
@response = req.response- RubyDoc Documentation:
- Mailing List/Google Group:
- Maintainer Blog:
- Live ruby-oauth Chat:
While ruby-oauth tools are free software and will always be, the project would benefit immensely from some funding. Raising a monthly budget of... "dollars" would make the project more sustainable.
We welcome both individual and corporate sponsors! We also offer a wide array of funding channels to account for your preferences. Currently, Open Collective is our preferred funding platform.
If you're working in a company that's making significant use of ruby-oauth tools we'd appreciate it if you suggest to your company to become a ruby-oauth sponsor.
You can support the development of ruby-oauth tools via GitHub Sponsors, Liberapay, PayPal, Open Collective and Tidelift.
| 📍 NOTE |
|---|
| If doing a sponsorship in the form of donation is problematic for your company from an accounting standpoint, we'd recommend the use of Tidelift, where you can get a support-like subscription instead. |
Support us with a monthly donation and help us continue our activities. [Become a backer]
NOTE: kettle-readme-backers updates this list every day, automatically.
No backers yet. Be the first!
Become a sponsor and get your logo on our README on GitHub with a link to your site. [Become a sponsor]
NOTE: kettle-readme-backers updates this list every day, automatically.
No sponsors yet. Be the first!
I’m driven by a passion to foster a thriving open-source community – a space where people can tackle complex problems, no matter how small. Revitalizing libraries that have fallen into disrepair, and building new libraries focused on solving real-world challenges, are my passions. I was recently affected by layoffs, and the tech jobs market is unwelcoming. I’m reaching out here because your support would significantly aid my efforts to provide for my family, and my farm (11 🐔 chickens, 2 🐶 dogs, 3 🐰 rabbits, 8 🐈 cats).
If you work at a company that uses my work, please encourage them to support me as a corporate sponsor. My work on gems you use might show up in bundle fund.
I’m developing a new library, floss_funding, designed to empower open-source developers like myself to get paid for the work we do, in a sustainable way. Please give it a look.
Floss-Funding.dev: 👉️ No network calls. 👉️ No tracking. 👉️ No oversight. 👉️ Minimal crypto hashing. 💡 Easily disabled nags
See SECURITY.md.
If you need some ideas of where to help, you could work on adding more code coverage, or if it is already 💯 (see below) check issues or PRs, or use the gem and think about how it could be better.
We
See CONTRIBUTING.md for more detailed instructions.
See CONTRIBUTING.md.
Coverage service badges
Everyone interacting with this project's codebases, issue trackers,
chat rooms and mailing lists agrees to follow the
Made with contributors-img.
Also see GitLab Contributors: https://gitlab.com/ruby-oauth/oauth/-/graphs/main
⭐️ Star History
This library follows
For example:
spec.add_dependency("oauth", "~> 1.0")📌 Is "Platform Support" part of the public API? More details inside.
Dropping support for a platform can be a breaking change for affected users. If a release changes supported platforms, it should be called out clearly in the changelog and versioned with that impact in mind.
To get a better understanding of how SemVer is intended to work over a project's lifetime, read this article from the creator of SemVer:
See CHANGELOG.md for a list of releases.
The gem is available as open source under the terms of
the MIT
See LICENSE.md for the official copyright notice.
Copyright holders
- Copyright (c) 2007-2010 Pelle Braendgaard
- Copyright (c) 2008 Chris Mear
- Copyright (c) 2008 Jon Crosby
- Copyright (c) 2008-2010 Seth Fitzsimmons
- Copyright (c) 2008 Tilmann Singer
- Copyright (c) 2008 Tom Insam
- Copyright (c) 2008 tsailipu
- Copyright (c) 2009-2012 Aaron Quint
- Copyright (c) 2009 Anders Conbere
- Copyright (c) 2009 Bill Kocik
- Copyright (c) 2009 Darcy Laycock
- Copyright (c) 2009 Eric Hartmann
- Copyright (c) 2009 Greg Weber
- Copyright (c) 2009 Laszlo Bacsi
- Copyright (c) 2009 Marshall Huss
- Copyright (c) 2009 Matt Sanford
- Copyright (c) 2009 Neill Pearman
- Copyright (c) 2009 Seth Cousins
- Copyright (c) 2009 Yoan Blanc
- Copyright (c) 2010 andrehjr
- Copyright (c) 2010 Brian Finney
- Copyright (c) 2010 ecavazos
- Copyright (c) 2010 Joshua Hull
- Copyright (c) 2010 Marsh Gardiner
- Copyright (c) 2010 Michael Reinsch
- Copyright (c) 2010 Sean Cribbs
- Copyright (c) 2010 Steven Parkes
- Copyright (c) 2010 成田 一生
- Copyright (c) 2011 Shaliko Usubov
- Copyright (c) 2012 Ernie Miller
- Copyright (c) 2012 Jonathon M. Abbott
- Copyright (c) 2012 Richard Huang
- Copyright (c) 2012 rick
- Copyright (c) 2012 Steven Hammond
- Copyright (c) 2013 Craig Walker
- Copyright (c) 2013 Khem Veasna
- Copyright (c) 2014 Brian John
- Copyright (c) 2014 Michal Papis
- Copyright (c) 2014 raeno
- Copyright (c) 2015 jremmen
- Copyright (c) 2015 Kevin Hughes
- Copyright (c) 2016 Eric True
- Copyright (c) 2016-2017 James Pinto
- Copyright (c) 2016 jianben
- Copyright (c) 2016 Nik Wakelin
- Copyright (c) 2017 Ondrej Prazak
- Copyright (c) 2018 Nicholas Souphandavong
- Copyright (c) 2018 Yvonne
- Copyright (c) 2019 Agora@Ubuntu-dev
- Copyright (c) 2019 Shohei Maeda
- Copyright (c) 2020-2021, 2026 Khem
- Copyright (c) 2021 Chuck Remes
- Copyright (c) 2021 iamibi
- Copyright (c) 2021 Jeremy Sioui
- Copyright (c) 2021 Nick Morgan
- Copyright (c) 2021-2022, 2025-2026 Peter H. Boling
- Copyright (c) 2021 Richard Vowles
- Copyright (c) 2022 Shalvah
- Copyright (c) 2024-2025 Annibelle Boling
- Copyright (c) 2025 Aboling0
- Copyright (c) 2026 David Varga
- Copyright (c) 2026 StepSecurity Bot
Maintainers have teeth and need to pay their dentists. After getting laid off in an RIF in March, and encountering difficulty finding a new one, I began spending most of my time building open source tools. I'm hoping to be able to pay for my kids' health insurance this month, so if you value the work I am doing, I need your support. Please consider sponsoring me or the project.
To join the community or get help 👇️ Join the Discord.
To say "thanks!" ☝️ Join the Discord or 👇️ send money.
Many parts of this project are actively managed by a kettle-jem smart template utilizing StructuredMerge.org merge contracts.
Thanks for RTFM.
| Field | Value |
|---|---|
| Package | oauth |
| Description | 🔑 A Ruby wrapper for the original OAuth 1.0 / 1.0a spec. |
| Homepage | https://github.com/ruby-oauth/oauth |
| Source | https://github.com/ruby-oauth/oauth/tree/v1.1.5 |
| License | MIT |
| Funding | https://github.com/sponsors/pboling, https://issuehunt.io/u/pboling, https://ko-fi.com/pboling, https://liberapay.com/pboling/donate, https://opencollective.com/ruby-oauth, https://patreon.com/galtzo, https://polar.sh/pboling, https://thanks.dev/u/gh/pboling, https://tidelift.com/funding/github/rubygems/oauth, https://www.buymeacoffee.com/pboling |
