From bf25a71ca912e386c492224d918fe5103ffc86a1 Mon Sep 17 00:00:00 2001 From: "Peter H. Boling" Date: Mon, 15 Sep 2025 00:31:39 -0600 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=9D=20Document=20OAuth=201.0,=201.0a?= =?UTF-8?q?=20differences?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .idea/oauth.iml | 1 - .rubocop_gradual.lock | 8 +- CHANGELOG.md | 1 + README.md | 24 + docs/ActionController.html | 2 +- docs/ActionController/Base.html | 2 +- docs/ActionController/TestRequest.html | 2 +- docs/EventMachine.html | 2 +- docs/EventMachine/HttpClient.html | 34 +- docs/Net.html | 2 +- docs/Net/HTTPGenericRequest.html | 2 +- docs/OAuth.html | 27 +- docs/OAuth/AccessToken.html | 2 +- docs/OAuth/Client.html | 2 +- docs/OAuth/Client/Helper.html | 2 +- docs/OAuth/Consumer.html | 584 ++++++++++++------ docs/OAuth/ConsumerToken.html | 2 +- docs/OAuth/Error.html | 2 +- docs/OAuth/Helper.html | 202 +++--- docs/OAuth/OAuthTestHelper.html | 2 +- docs/OAuth/Optional.html | 219 +++++++ docs/OAuth/Problem.html | 2 +- docs/OAuth/RequestProxy.html | 2 +- .../RequestProxy/ActionControllerRequest.html | 36 +- .../RequestProxy/ActionDispatchRequest.html | 167 ++++- docs/OAuth/RequestProxy/Base.html | 158 ++--- docs/OAuth/RequestProxy/Curl.html | 2 +- docs/OAuth/RequestProxy/Curl/Easy.html | 2 +- docs/OAuth/RequestProxy/EventMachine.html | 2 +- .../EventMachine/HttpRequest.html | 2 +- docs/OAuth/RequestProxy/JabberRequest.html | 2 +- docs/OAuth/RequestProxy/MockRequest.html | 2 +- docs/OAuth/RequestProxy/Net.html | 2 +- docs/OAuth/RequestProxy/Net/HTTP.html | 2 +- .../RequestProxy/Net/HTTP/HTTPRequest.html | 2 +- docs/OAuth/RequestProxy/RackRequest.html | 2 +- docs/OAuth/RequestProxy/RestClient.html | 2 +- .../RequestProxy/RestClient/Request.html | 2 +- docs/OAuth/RequestProxy/Typhoeus.html | 2 +- docs/OAuth/RequestProxy/Typhoeus/Request.html | 2 +- .../RequestProxy/UnknownRequestType.html | 2 +- docs/OAuth/RequestToken.html | 2 +- docs/OAuth/Server.html | 2 +- docs/OAuth/ServerToken.html | 2 +- docs/OAuth/Signature.html | 2 +- docs/OAuth/Signature/Base.html | 2 +- docs/OAuth/Signature/HMAC.html | 2 +- docs/OAuth/Signature/HMAC/SHA1.html | 2 +- docs/OAuth/Signature/HMAC/SHA256.html | 2 +- docs/OAuth/Signature/PLAINTEXT.html | 2 +- docs/OAuth/Signature/RSA.html | 2 +- docs/OAuth/Signature/RSA/SHA1.html | 2 +- .../Signature/UnknownSignatureMethod.html | 2 +- docs/OAuth/Token.html | 2 +- docs/OAuth/Unauthorized.html | 2 +- docs/OAuth/Version.html | 2 +- docs/_index.html | 9 +- docs/class_list.html | 2 +- docs/file.CHANGELOG.html | 22 +- docs/file.CITATION.html | 2 +- docs/file.CODE_OF_CONDUCT.html | 2 +- docs/file.CONTRIBUTING.html | 2 +- docs/file.FUNDING.html | 2 +- docs/file.LICENSE.html | 2 +- docs/file.README.html | 39 +- docs/file.REEK.html | 2 +- docs/file.RUBOCOP.html | 2 +- docs/file.SECURITY.html | 2 +- docs/index.html | 39 +- docs/method_list.html | 182 +++--- docs/top-level-namespace.html | 2 +- lib/oauth/consumer.rb | 43 +- lib/oauth/oauth.rb | 19 +- lib/oauth/request_proxy/base.rb | 3 + 74 files changed, 1376 insertions(+), 549 deletions(-) create mode 100644 docs/OAuth/Optional.html diff --git a/.idea/oauth.iml b/.idea/oauth.iml index 9a5437b4..ef3eb943 100644 --- a/.idea/oauth.iml +++ b/.idea/oauth.iml @@ -72,7 +72,6 @@ - diff --git a/.rubocop_gradual.lock b/.rubocop_gradual.lock index 9ca71065..11723557 100644 --- a/.rubocop_gradual.lock +++ b/.rubocop_gradual.lock @@ -4,16 +4,16 @@ [33, 5, 44, "Style/ClassMethodsDefinitions: Use `class << self` to define a class method.", 645541231], [34, 7, 10, "ThreadSafety/ClassInstanceVariable: Avoid class instance variables.", 4071527614] ], - "lib/oauth/consumer.rb:2772211062": [ - [210, 9, 4, "Lint/UnderscorePrefixedVariableName: Do not use prefix `_` for a variable that is used.", 2089552532], - [368, 21, 4, "Lint/UnderscorePrefixedVariableName: Do not use prefix `_` for a variable that is used.", 2089552529] + "lib/oauth/consumer.rb:437026603": [ + [241, 9, 4, "Lint/UnderscorePrefixedVariableName: Do not use prefix `_` for a variable that is used.", 2089552532], + [399, 21, 4, "Lint/UnderscorePrefixedVariableName: Do not use prefix `_` for a variable that is used.", 2089552529] ], "lib/oauth/request_proxy.rb:1529370509": [ [5, 5, 76, "Style/ClassMethodsDefinitions: Use `class << self` to define a class method.", 485336097], [6, 7, 18, "ThreadSafety/ClassInstanceVariable: Avoid class instance variables.", 1482835337], [9, 5, 467, "Style/ClassMethodsDefinitions: Use `class << self` to define a class method.", 4088662367] ], - "lib/oauth/request_proxy/base.rb:3218240175": [ + "lib/oauth/request_proxy/base.rb:2146952171": [ [11, 7, 93, "Style/ClassMethodsDefinitions: Use `class << self` to define a class method.", 2934170116] ], "lib/oauth/signature.rb:745501939": [ diff --git a/CHANGELOG.md b/CHANGELOG.md index bef39cbb..32dc1e4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ Please file a bug if you notice a violation of semantic versioning. - Stop relying on URI / CGI for escaping and unescaping - They are both unstable across supported versions of Ruby (including 3.5 HEAD) - Tests against Rails-specific code are now run in CI +- Documented OAuth 1.0, 1.0a differences ### Changed - converted minitest => rspec ### Deprecated diff --git a/README.md b/README.md index 96699cc4..dddc4807 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,30 @@ See the sibling `oauth2` gem for OAuth 2.0, 2.1, & OIDC clients in Ruby. [oauth1-spec]: http://oauth.net/core/1.0/ [sibling-gem]: https://gitlab.com/ruby-oauth/oauth2 +## OAuth 1.0 vs 1.0a: What this library implements + +This gem targets the OAuth 1.0a behavior (the errata that became RFC 5849), while maintaining compatibility with providers that still behave like classic 1.0. +Here are the key lines between the two and how this gem handles them: + +- oauth_callback + - 1.0: Optional in practice; some providers accepted flows without it. + - 1.0a: Consumer SHOULD send oauth_callback when obtaining a Request Token, or explicitly use the out-of-band value "oob". + - This gem: If you do not pass oauth_callback, we default it to "oob" (OUT_OF_BAND). You can opt-out by passing exclude_callback: true. +- oauth_callback_confirmed + - 1.0: Not specified. + - 1.0a: Service Provider MUST return oauth_callback_confirmed=true with the Request Token response. This mitigates session fixation. + - This gem: Parses token responses but does not include oauth_callback_confirmed in the signature base string (it is a response param, not a signed request param). +- oauth_verifier + - 1.0: Not present. + - 1.0a: After the user authorizes, the Provider returns an oauth_verifier to the Consumer, and the Consumer MUST include it when exchanging the Request Token for an Access Token. + - This gem: Supports oauth_verifier across request helpers and request proxies; pass oauth_verifier to get_access_token in 3‑legged flows. + +Practical guidance: +- For 3‑legged flows, always supply oauth_callback when calling consumer.get_request_token, and include oauth_verifier when calling request_token.get_access_token. +- For command‑line or non-HTTP clients, use the special OUT_OF_BAND value ("oob") as the oauth_callback and prompt the user to paste back the displayed verifier. + +References: [RFC 5849 (OAuth 1.0)](https://datatracker.ietf.org/doc/html/rfc5849), sections 5–7; [1.0a security errata](https://oauth.net/core/1.0a/). + OAuth Ruby has been maintained by a large number of talented individuals over the years. The primary maintainer since 2020 is Peter Boling (@pboling). diff --git a/docs/ActionController.html b/docs/ActionController.html index 8d7a0a20..c9f5f612 100644 --- a/docs/ActionController.html +++ b/docs/ActionController.html @@ -105,7 +105,7 @@

Defined Under Namespace

diff --git a/docs/ActionController/Base.html b/docs/ActionController/Base.html index 0541ad29..283221d4 100644 --- a/docs/ActionController/Base.html +++ b/docs/ActionController/Base.html @@ -238,7 +238,7 @@

diff --git a/docs/ActionController/TestRequest.html b/docs/ActionController/TestRequest.html index 24f1e9a3..fec2b87f 100644 --- a/docs/ActionController/TestRequest.html +++ b/docs/ActionController/TestRequest.html @@ -613,7 +613,7 @@

diff --git a/docs/EventMachine.html b/docs/EventMachine.html index b0a0af3b..194d4db6 100644 --- a/docs/EventMachine.html +++ b/docs/EventMachine.html @@ -116,7 +116,7 @@

Overview

diff --git a/docs/EventMachine/HttpClient.html b/docs/EventMachine/HttpClient.html index 3b738d45..a84be5cd 100644 --- a/docs/EventMachine/HttpClient.html +++ b/docs/EventMachine/HttpClient.html @@ -250,12 +250,12 @@ 

 
 
-11
-12
-13
+13 +14 +15 - 
# File 'lib/oauth/client/em_http.rb', line 11
+      
# File 'lib/oauth/client/em_http.rb', line 13
 
 def oauth_helper
   @oauth_helper
@@ -299,8 +299,6 @@ 

       
 
 
-72
-73
 74
 75
 76
@@ -308,10 +306,12 @@ 

 78
 79
 80
-81

+81
+82
+83

     
     
-      
# File 'lib/oauth/client/em_http.rb', line 72
+      
# File 'lib/oauth/client/em_http.rb', line 74
 
 def normalize_uri
   @normalized_uri ||= begin
@@ -368,8 +368,6 @@ 

       
 
 
-27
-28
 29
 30
 31
@@ -381,10 +379,12 @@ 

 37
 38
 39
-40

+40
+41
+42

     
     
-      
# File 'lib/oauth/client/em_http.rb', line 27
+      
# File 'lib/oauth/client/em_http.rb', line 29
 
 def oauth!(http, consumer = nil, token = nil, options = {})
   options = {
@@ -444,8 +444,6 @@ 

       
 
 
-55
-56
 57
 58
 59
@@ -456,10 +454,12 @@ 

 64
 65
 66
-67

+67
+68
+69

     
     
-      
# File 'lib/oauth/client/em_http.rb', line 55
+      
# File 'lib/oauth/client/em_http.rb', line 57
 
 def signature_base_string(http, consumer = nil, token = nil, options = {})
   options = {
@@ -484,7 +484,7 @@ 

 
 
       
diff --git a/docs/Net.html b/docs/Net.html
index e56cfd7d..77e7ad4d 100644
--- a/docs/Net.html
+++ b/docs/Net.html
@@ -105,7 +105,7 @@ 
Defined Under Namespace

 
 
       
diff --git a/docs/Net/HTTPGenericRequest.html b/docs/Net/HTTPGenericRequest.html
index 962724fb..767d2ab3 100644
--- a/docs/Net/HTTPGenericRequest.html
+++ b/docs/Net/HTTPGenericRequest.html
@@ -397,7 +397,7 @@ 

 
 
       
diff --git a/docs/OAuth.html b/docs/OAuth.html
index 317ce91b..c492babe 100644
--- a/docs/OAuth.html
+++ b/docs/OAuth.html
@@ -79,7 +79,7 @@
   

     
Defined in:

     
lib/oauth/oauth.rb,

-  lib/oauth/client.rb,
 lib/oauth/helper.rb,
 lib/oauth/server.rb,
 lib/oauth/version.rb,
 lib/oauth/consumer.rb,
 lib/oauth/signature.rb,
 lib/oauth/errors/error.rb,
 lib/oauth/tokens/token.rb,
 lib/oauth/client/helper.rb,
 lib/oauth/request_proxy.rb,
 lib/oauth/errors/problem.rb,
 lib/oauth/signature/base.rb,
 lib/oauth/oauth_test_helper.rb,
 lib/oauth/request_proxy/base.rb,
 lib/oauth/signature/rsa/sha1.rb,
 lib/oauth/errors/unauthorized.rb,
 lib/oauth/signature/hmac/sha1.rb,
 lib/oauth/signature/plaintext.rb,
 lib/oauth/tokens/access_token.rb,
 lib/oauth/tokens/server_token.rb,
 lib/oauth/tokens/request_token.rb,
 lib/oauth/signature/hmac/sha256.rb,
 lib/oauth/tokens/consumer_token.rb,
 lib/oauth/request_proxy/net_http.rb,
 lib/oauth/request_proxy/curb_request.rb,
 lib/oauth/request_proxy/mock_request.rb,
 lib/oauth/request_proxy/rack_request.rb,
 lib/oauth/request_proxy/jabber_request.rb,
 lib/oauth/request_proxy/em_http_request.rb,
 lib/oauth/request_proxy/typhoeus_request.rb,
 lib/oauth/request_proxy/rest_client_request.rb,
 lib/oauth/request_proxy/action_dispatch_request.rb,
 lib/oauth/request_proxy/action_controller_request.rb
+  lib/oauth/client.rb,
 lib/oauth/helper.rb,
 lib/oauth/server.rb,
 lib/oauth/version.rb,
 lib/oauth/consumer.rb,
 lib/oauth/optional.rb,
 lib/oauth/signature.rb,
 lib/oauth/errors/error.rb,
 lib/oauth/tokens/token.rb,
 lib/oauth/client/helper.rb,
 lib/oauth/request_proxy.rb,
 lib/oauth/errors/problem.rb,
 lib/oauth/signature/base.rb,
 lib/oauth/oauth_test_helper.rb,
 lib/oauth/request_proxy/base.rb,
 lib/oauth/signature/rsa/sha1.rb,
 lib/oauth/errors/unauthorized.rb,
 lib/oauth/signature/hmac/sha1.rb,
 lib/oauth/signature/plaintext.rb,
 lib/oauth/tokens/access_token.rb,
 lib/oauth/tokens/server_token.rb,
 lib/oauth/tokens/request_token.rb,
 lib/oauth/signature/hmac/sha256.rb,
 lib/oauth/tokens/consumer_token.rb,
 lib/oauth/request_proxy/net_http.rb,
 lib/oauth/request_proxy/curb_request.rb,
 lib/oauth/request_proxy/mock_request.rb,
 lib/oauth/request_proxy/rack_request.rb,
 lib/oauth/request_proxy/jabber_request.rb,
 lib/oauth/request_proxy/em_http_request.rb,
 lib/oauth/request_proxy/typhoeus_request.rb,
 lib/oauth/request_proxy/rest_client_request.rb,
 lib/oauth/request_proxy/action_dispatch_request.rb,
 lib/oauth/request_proxy/action_controller_request.rb
 

   

   
@@ -89,7 +89,7 @@ 
Defined Under Namespace

 

   
     
-      Modules: Client, Helper, OAuthTestHelper, RequestProxy, Signature, Version
+      Modules: Client, Helper, OAuthTestHelper, Optional, RequestProxy, Signature, Version
     
   
     
@@ -109,8 +109,11 @@ 

         
OUT_OF_BAND =
           

   

-    
request tokens are passed between the consumer and the provider out of

-band (i.e. callbacks cannot be used), per section 6.1.1

+    
Out-Of-Band callback token value.

+OAuth 1.0 and 1.0a both support out-of-band flows, where callbacks cannot be used.

+See RFC 5849 (OAuth 1.0), Section 6.1.1: Obtaining an Unauthorized Request Token

+and the 1.0a errata. Providers treating “oob” as the callback URL indicate that

+the verifier (for 1.0a) will be communicated out of band to the Consumer.

 
 
   

@@ -125,7 +128,19 @@ 

         
PARAMETERS =
           

   

-    
required parameters, per sections 6.1.1, 6.3.1, and 7

+    
OAuth parameter keys this library recognizes when normalizing/signing requests.

+Notes on 1.0 vs 1.0a:

+
    
+  
  • oauth_verifier: Introduced by OAuth 1.0a. Returned to the Consumer after user
    
+authorization and required when exchanging a Request Token for an Access Token
    
+(Section 6.3.1 in RFC 5849 / 1.0a change).
    • 
+  
  • oauth_callback: Present in 1.0; 1.0a clarified that the Consumer MUST send it when
    
+obtaining a Request Token (or use “oob”) and that the Service Provider MUST return
    
+oauth_callback_confirmed=true with the Request Token response to prevent session
    
+fixation attacks. Note that oauth_callback_confirmed is a response parameter, not
    
+a request signing parameter, and thus is not listed here.
    
+Other keys are common to both 1.0 and 1.0a.
    • 
+

 
 
   

@@ -177,7 +192,7 @@ 

 

 
       
diff --git a/docs/OAuth/AccessToken.html b/docs/OAuth/AccessToken.html
index f3290cf3..51552fb2 100644
--- a/docs/OAuth/AccessToken.html
+++ b/docs/OAuth/AccessToken.html
@@ -681,7 +681,7 @@ 

 

 
       
diff --git a/docs/OAuth/Client.html b/docs/OAuth/Client.html
index b4307caa..39257414 100644
--- a/docs/OAuth/Client.html
+++ b/docs/OAuth/Client.html
@@ -107,7 +107,7 @@ 
Defined Under Namespace

 
 
       
diff --git a/docs/OAuth/Client/Helper.html b/docs/OAuth/Client/Helper.html
index 446886e0..2ef3cc36 100644
--- a/docs/OAuth/Client/Helper.html
+++ b/docs/OAuth/Client/Helper.html
@@ -981,7 +981,7 @@ 

 
 
       
diff --git a/docs/OAuth/Consumer.html b/docs/OAuth/Consumer.html
index 2f719640..afb7055d 100644
--- a/docs/OAuth/Consumer.html
+++ b/docs/OAuth/Consumer.html
@@ -561,7 +561,7 @@ 

         
  • 
   
     
-      #get_access_token(request_token, request_options = {}, *arguments, &block)  ⇒ Object 
+      #get_access_token(request_token, request_options = {}, *arguments) {|response_body| ... } ⇒ OAuth::AccessToken 
     
 
     
@@ -575,7 +575,7 @@ 
    
   
 
   
-    
    
+    
    Exchanges a verified Request Token for an Access Token.
    
 
    
   
 
    • 
@@ -584,7 +584,7 @@ 
    
         
  • 
   
     
-      #get_request_token(request_options = {}, *arguments, &block)  ⇒ Object 
+      #get_request_token(request_options = {}, *arguments) {|response_body| ... } ⇒ OAuth::RequestToken 
     
 
     
@@ -1172,12 +1172,12 @@ 
    
       
     
 
-298
-299
-300
    
+329
+330
+331
    • 
     
     
-      
    # File 'lib/oauth/consumer.rb', line 298
+      
    # File 'lib/oauth/consumer.rb', line 329
 
 def site
   @options[:site].to_s
@@ -1209,12 +1209,12 @@ 
    
       
     
 
-324
-325
-326
    
+355
+356
+357
    
     
     
-      
    # File 'lib/oauth/consumer.rb', line 324
+      
    # File 'lib/oauth/consumer.rb', line 355
 
 def access_token_path
   @options[:access_token_path]
@@ -1239,12 +1239,12 @@ 
    
       
     
 
-353
-354
-355
    
+384
+385
+386
    
     
     
-      
    # File 'lib/oauth/consumer.rb', line 353
+      
    # File 'lib/oauth/consumer.rb', line 384
 
 def access_token_url
   @options[:access_token_url] || (site + access_token_path)
@@ -1292,12 +1292,12 @@ 
    
       
     
 
-357
-358
-359
    
+388
+389
+390
    
     
     
-      
    # File 'lib/oauth/consumer.rb', line 357
+      
    # File 'lib/oauth/consumer.rb', line 388
 
 def access_token_url?
   @options.key?(:access_token_url)
@@ -1322,12 +1322,12 @@ 
    
       
     
 
-316
-317
-318
    
+347
+348
+349
    
     
     
-      
    # File 'lib/oauth/consumer.rb', line 316
+      
    # File 'lib/oauth/consumer.rb', line 347
 
 def authenticate_path
   @options[:authenticate_path]
@@ -1352,12 +1352,12 @@ 
    
       
     
 
-337
-338
-339
    
+368
+369
+370
    
     
     
-      
    # File 'lib/oauth/consumer.rb', line 337
+      
    # File 'lib/oauth/consumer.rb', line 368
 
 def authenticate_url
   @options[:authenticate_url] || (site + authenticate_path)
@@ -1405,12 +1405,12 @@ 
    
       
     
 
-341
-342
-343
    
+372
+373
+374
    
     
     
-      
    # File 'lib/oauth/consumer.rb', line 341
+      
    # File 'lib/oauth/consumer.rb', line 372
 
 def authenticate_url?
   @options.key?(:authenticate_url)
@@ -1435,12 +1435,12 @@ 
    
       
     
 
-320
-321
-322
    
+351
+352
+353
    
     
     
-      
    # File 'lib/oauth/consumer.rb', line 320
+      
    # File 'lib/oauth/consumer.rb', line 351
 
 def authorize_path
   @options[:authorize_path]
@@ -1465,12 +1465,12 @@ 
    
       
     
 
-345
-346
-347
    
+376
+377
+378
    
     
     
-      
    # File 'lib/oauth/consumer.rb', line 345
+      
    # File 'lib/oauth/consumer.rb', line 376
 
 def authorize_url
   @options[:authorize_url] || (site + authorize_path)
@@ -1518,12 +1518,12 @@ 
    
       
     
 
-349
-350
-351
    
+380
+381
+382
    
     
     
-      
    # File 'lib/oauth/consumer.rb', line 349
+      
    # File 'lib/oauth/consumer.rb', line 380
 
 def authorize_url?
   @options.key?(:authorize_url)
@@ -1559,14 +1559,14 @@ 
    
       
     
 
-243
-244
-245
-246
-247
    
+274
+275
+276
+277
+278
    
     
     
-      
    # File 'lib/oauth/consumer.rb', line 243
+      
    # File 'lib/oauth/consumer.rb', line 274
 
 def create_signed_request(http_method, path, token = nil, request_options = {}, *arguments)
   request = create_http_request(http_method, path, *arguments)
@@ -1623,32 +1623,133 @@ 
    
       
    
   
    
   
-    #get_access_token(request_token, request_options = {}, *arguments, &block)  ⇒ Object 
+    #get_access_token(request_token, request_options = {}, *arguments) {|response_body| ... } ⇒ OAuth::AccessToken 
   
 
   
 
   
-
    
+
    
+  
    
+    
    Exchanges a verified Request Token for an Access Token.
    
+
+
    OAuth 1.0 vs 1.0a:
    
+
      
+  
    • 1.0a requires including oauth_verifier (as returned by the Provider after
      
+user authorization) when performing this exchange in a 3‑legged flow.
      • 
+  
    • 1.0 flows did not include oauth_verifier.
      • 
+
    
+
+
    Usage (3‑legged):
    
+  access_token = request_token.get_access_token(oauth_verifier: params[:oauth_verifier])
    
+
+
+  
    
+
    
+
    
+  
    Parameters:
    
+
      
+  
+    
    • 
+      
+        request_token
+      
+      
+        (OAuth::RequestToken)
+      
+      
+      
+        —
+        
      The authorized request token
      
+
      
+      
+    
      • 
+  
+    
    • 
+      
+        request_options
+      
+      
+        (Hash)
+      
+      
+        (defaults to: {})
+      
+      
+        —
+        
      OAuth or request options (include :oauth_verifier for 1.0a)
      
+
      
+      
+    
      • 
+  
+    
    • 
+      
+        arguments
+      
+      
+        (Array)
+      
+      
+      
+        —
+        
      Optional POST body and headers
      
+
      
+      
+    
      • 
+  
+
    
+
+
    Yields:
    
+
      
+  
+    
    • 
+      
+      
+        (response_body)
+      
+      
+      
+        —
+        
      If a block is given, yields the raw response body.
      
+
      
+      
+    
      • 
+  
+
    
+
    Returns:
    
+
+
+
    
@@ -503,7 +511,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/ActionDispatchRequest.html b/docs/OAuth/RequestProxy/ActionDispatchRequest.html
index a5895234..7c41e4ec 100644
--- a/docs/OAuth/RequestProxy/ActionDispatchRequest.html
+++ b/docs/OAuth/RequestProxy/ActionDispatchRequest.html
@@ -115,17 +115,74 @@ 
    Attributes inherited from #options, #request, #unsigned_parameters
    
 
 
+  
+    
    
+      Instance Method Summary
+      collapse
+    
    
+
+    
      
+      
+        
    • 
+  
+    
+      #parameters  ⇒ Object 
+    
+
+    
+  
+  
+  
+  
+  
+  
+  
+  
+
+  
+    
      Rails’ ActionDispatch proxy should expose array-style parameters for request/query params to align with legacy oauth gem expectations.
      
+
      
+  
+
      • 
+
+      
+        
    • 
+  
+    
+      #uri  ⇒ Object 
+    
 
+    
+  
+  
+  
+  
+  
+  
+  
+  
+
+  
+    
      Prefer the explicitly provided URI, which carries scheme/host info when ActionDispatch env may be minimal in tests.
      
+
      
+  
+
      • 
+
+      
+    
    
+  
+
+
+  
   
   
   
   
   
   
-  
    Method Summary
    Methods inherited from RackRequest
    
-  
    #method, #parameters, #signature, #uri
    
+  
    #method, #signature
    
 
   
   
@@ -136,7 +193,7 @@ 
    Methods inherited from Methods inherited from Base
    
-  
    #initialize, #non_oauth_parameters, #normalized_parameters, #normalized_uri, #oauth_callback, #oauth_consumer_key, #oauth_header, #oauth_nonce, #oauth_parameters, #oauth_signature, #oauth_signature_method, #oauth_timestamp, #oauth_token, #oauth_verifier, #oauth_version, #parameters, #parameters_for_signature, proxies, #query_string_blank?, #sign, #sign!, #signature_and_unsigned_parameters, #signature_base_string, #signed?, #signed_uri
    
+  
    #initialize, #non_oauth_parameters, #normalized_parameters, #normalized_uri, #oauth_callback, #oauth_consumer_key, #oauth_header, #oauth_nonce, #oauth_parameters, #oauth_signature, #oauth_signature_method, #oauth_timestamp, #oauth_token, #oauth_verifier, #oauth_version, #parameters_for_signature, proxies, #query_string_blank?, #sign, #sign!, #signature_and_unsigned_parameters, #signature_base_string, #signed?, #signed_uri
    
 
   
   
@@ -156,10 +213,112 @@ 
    Constructor Details
    
 
 
+  
    
+    
    Instance Method Details
    
+
+    
+      
    
+  
    
+  
+    #parametersObject 
+  
+
+  
+
+  
+
    
+  
    
+    
    Rails’ ActionDispatch proxy should expose array-style parameters
    
+for request/query params to align with legacy oauth gem expectations.
    
+
+
+  
    
+
    
+
    
+  
+
+
    
   
    
     
       
     
 
-145
-146
-147
-148
-149
-150
-151
-152
-153
-154
-155
    
+160
+161
+162
+163
+164
+165
+166
+167
+168
+169
+170
         		
     
-      
    # File 'lib/oauth/consumer.rb', line 145
+      
    # File 'lib/oauth/consumer.rb', line 160
 
 def get_access_token(request_token, request_options = {}, *arguments, &block)
   response = token_request(
@@ -1669,7 +1770,7 @@ 
    
       
    
   
    
   
-    #get_request_token(request_options = {}, *arguments, &block)  ⇒ Object 
+    #get_request_token(request_options = {}, *arguments) {|response_body| ... } ⇒ OAuth::RequestToken 
   
 
   
@@ -1679,24 +1780,103 @@ 
    
   
    
     
    Makes a request to the service for a new OAuth::RequestToken
    
 
-
    @request_token = @consumer.get_request_token
    
-
-
    To include OAuth parameters:
    
-
-
    @request_token = @consumer.get_request_token \
    
-   :oauth_callback => “http://example.com/cb”
    
-
-
    To include application-specific parameters:
    
-
-
    @request_token = @consumer.get_request_token({}, :foo => “bar”)
    
+
    Example:
    
+  @request_token = @consumer.get_request_token
    
+
+
    To include OAuth parameters:
    
+  @request_token = @consumer.get_request_token(
    
+    oauth_callback: “http://example.com/cb”
    
+  )
    
+
+
    To include application-specific parameters:
    
+  @request_token = @consumer.get_request_token({}, foo: “bar”)
    
+
+
    OAuth 1.0 vs 1.0a:
    
+
      
+  
    • In 1.0a, the Consumer SHOULD send oauth_callback when obtaining a request token
      
+(or explicitly use OUT_OF_BAND) and the Provider MUST include
      
+oauth_callback_confirmed=true in the response.
      • 
+  
    • This library defaults oauth_callback to OUT_OF_BAND (“oob”) when not provided,
      
+which works for both 1.0 and 1.0a, and mirrors common provider behavior.
      • 
+  
    • The oauth_callback_confirmed response is parsed by the token classes; it is not
      
+part of the signature base string and thus is not signed.
      • 
+
    
 
-
    TODO oauth_callback should be a mandatory parameter
    
+
    TODO: In a future major release, oauth_callback may be made mandatory unless
    
+      request_options[:exclude_callback] is set, to reflect 1.0a guidance.
    
 
 
   
    
 
    
 
    
+  
    Parameters:
    
+
      
+  
+    
    • 
+      
+        request_options
+      
+      
+        (Hash)
+      
+      
+        (defaults to: {})
+      
+      
+        —
+        
      OAuth options for the request. Notably
      
+:oauth_callback can be set to a URL, or OAuth::OUT_OF_BAND (“oob”).
      
+
      
+      
+    
      • 
+  
+    
    • 
+      
+        arguments
+      
+      
+        (Array)
+      
+      
+      
+        —
+        
      Optional POST body and headers
      
+
      
+      
+    
      • 
   
+
    
+
+
    Yields:
    
+
      
+  
+    
    • 
+      
+      
+        (response_body)
+      
+      
+      
+        —
+        
      If a block is given, yields the raw response body.
      
+
      
+      
+    
      • 
+  
+
    
+
    Returns:
    
+
 
 
    
@@ -1704,34 +1884,34 @@ 
    
       
     
 
-171
-172
-173
-174
-175
-176
-177
-178
-179
-180
-181
-182
-183
-184
-185
-186
-187
-188
-189
-190
-191
-192
-193
-194
-195
    
+202
+203
+204
+205
+206
+207
+208
+209
+210
+211
+212
+213
+214
+215
+216
+217
+218
+219
+220
+221
+222
+223
+224
+225
+226
     
     
    
@@ -427,12 +447,12 @@ 
    
       
     
 
-30
-31
-32
    
+52
+53
+54
     
     
    
@@ -788,7 +832,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/OAuthTestHelper.html b/docs/OAuth/OAuthTestHelper.html
index 2b669255..8e04643b 100644
--- a/docs/OAuth/OAuthTestHelper.html
+++ b/docs/OAuth/OAuthTestHelper.html
@@ -240,7 +240,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Optional.html b/docs/OAuth/Optional.html
new file mode 100644
index 00000000..a524130d
--- /dev/null
+++ b/docs/OAuth/Optional.html
@@ -0,0 +1,219 @@
+
+
+  
+    
+
+
+  Module: OAuth::Optional
+  
+    — Documentation by YARD 0.9.37
+  
+
+
+  
+
+  
+
+
+
+
+  
+
+  
+
+
+  
+  
+    
    
+      
+      
    
+    
    
+
+    
    
+      
+
+      
    Module: OAuth::Optional
+  
+  
+  
+
    
+
    
+  
+
+  
+  
+  
+  
+  
+
+  
+
+  
+  
    
+    
    Defined in:
    
+    
    lib/oauth/optional.rb
    
+  
    
+  
+
    
+
+
    Overview
    
+  
    
+    
    Helpers for optional, lazily loaded integrations.
    
+
+
+  
    
+
    
+
    
+  
+
+
    
+
+
+
+
+
+
+  
+    
    
+      Class Method Summary
+      collapse
+    
    
+
+    
+  
+
+
+
+  
    
+    
    Class Method Details
    
+
+    
+      
    
+  
    
+  
+    .em_http_available?Boolean 
+  
+
+  
+
+  
+
    
+  
    
+    
    Try to load EventMachine HTTP client support provided by em-http-request.
    
+
+
    Returns true if available, false if the dependency is not installed.
    
+Never raises LoadError.
    
+
+
+  
    
+
    
+
    
+  
+
    Returns:
    
+
      
+  
+    
    • 
+      
+      
+        (Boolean)
+      
+      
+      
+    
      • 
+  
+
    
+
+
    
   
    
-      
    # File 'lib/oauth/consumer.rb', line 171
+      
    # File 'lib/oauth/consumer.rb', line 202
 
 def get_request_token(request_options = {}, *arguments, &block)
   # if oauth_callback wasn't provided, it is assumed that oauth_verifiers
@@ -1818,12 +1998,12 @@ 
    
       
     
 
-361
-362
-363
    
+392
+393
+394
    
     
    		
     
-      
    # File 'lib/oauth/consumer.rb', line 361
+      
    # File 'lib/oauth/consumer.rb', line 392
 
 def proxy
   @options[:proxy]
@@ -1866,42 +2046,42 @@ 
    
       
     
 
-207
-208
-209
-210
-211
-212
-213
-214
-215
-216
-217
-218
-219
-220
-221
-222
-223
-224
-225
-226
-227
-228
-229
-230
-231
-232
-233
-234
-235
-236
-237
 238
-239
    
+239
+240
+241
+242
+243
+244
+245
+246
+247
+248
+249
+250
+251
+252
+253
+254
+255
+256
+257
+258
+259
+260
+261
+262
+263
+264
+265
+266
+267
+268
+269
+270
    
     
    		
     
-      
    # File 'lib/oauth/consumer.rb', line 207
+      
    # File 'lib/oauth/consumer.rb', line 238
 
 def request(http_method, path, token = nil, request_options = {}, *arguments)
   unless %r{^/} =~ path
@@ -1956,14 +2136,14 @@ 
    
       
     
 
-302
-303
-304
-305
-306
    
+333
+334
+335
+336
+337
    
     
    		
     
-      
    # File 'lib/oauth/consumer.rb', line 302
+      
    # File 'lib/oauth/consumer.rb', line 333
 
 def request_endpoint
   return if @options[:request_endpoint].nil?
@@ -1990,12 +2170,12 @@ 
    
       
     
 
-312
-313
-314
    
+343
+344
+345
    
     
    		
     
-      
    # File 'lib/oauth/consumer.rb', line 312
+      
    # File 'lib/oauth/consumer.rb', line 343
 
 def request_token_path
   @options[:request_token_path]
@@ -2030,12 +2210,12 @@ 
    
       
     
 
-329
-330
-331
    
+360
+361
+362
    
     
    		
     
-      
    # File 'lib/oauth/consumer.rb', line 329
+      
    # File 'lib/oauth/consumer.rb', line 360
 
 def request_token_url
   @options[:request_token_url] || (site + request_token_path)
@@ -2083,12 +2263,12 @@ 
    
       
     
 
-333
-334
-335
    
+364
+365
+366
    
     
    		
     
-      
    # File 'lib/oauth/consumer.rb', line 333
+      
    # File 'lib/oauth/consumer.rb', line 364
 
 def request_token_url?
   @options.key?(:request_token_url)
@@ -2113,12 +2293,12 @@ 
    
       
     
 
-308
-309
-310
    
+339
+340
+341
    
     
    		
     
-      
    # File 'lib/oauth/consumer.rb', line 308
+      
    # File 'lib/oauth/consumer.rb', line 339
 
 def scheme
   @options[:scheme]
@@ -2153,12 +2333,12 @@ 
    
       
     
 
-289
-290
-291
    
+320
+321
+322
    
     
    		
     
-      
    # File 'lib/oauth/consumer.rb', line 289
+      
    # File 'lib/oauth/consumer.rb', line 320
 
 def sign!(request, token = nil, request_options = {})
   request.oauth!(http, self, token, options.merge(request_options))
@@ -2193,12 +2373,12 @@ 
    
       
     
 
-294
-295
-296
    
+325
+326
+327
    
     
    		
     
-      
    # File 'lib/oauth/consumer.rb', line 294
+      
    # File 'lib/oauth/consumer.rb', line 325
 
 def signature_base_string(request, token = nil, request_options = {})
   request.signature_base_string(http, self, token, options.merge(request_options))
@@ -2233,46 +2413,46 @@ 
    
       
     
 
-250
-251
-252
-253
-254
-255
-256
-257
-258
-259
-260
-261
-262
-263
-264
-265
-266
-267
-268
-269
-270
-271
-272
-273
-274
-275
-276
-277
-278
-279
-280
 281
 282
 283
 284
 285
-286
    
+286
+287
+288
+289
+290
+291
+292
+293
+294
+295
+296
+297
+298
+299
+300
+301
+302
+303
+304
+305
+306
+307
+308
+309
+310
+311
+312
+313
+314
+315
+316
+317
    
     
    		
     
-      
    # File 'lib/oauth/consumer.rb', line 250
+      
    # File 'lib/oauth/consumer.rb', line 281
 
 def token_request(http_method, path, token = nil, request_options = {}, *arguments)
   request_options[:token_request] ||= true
@@ -2371,7 +2551,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/ConsumerToken.html b/docs/OAuth/ConsumerToken.html
index 07067257..df97685a 100644
--- a/docs/OAuth/ConsumerToken.html
+++ b/docs/OAuth/ConsumerToken.html
@@ -661,7 +661,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Error.html b/docs/OAuth/Error.html
index 4f98ee7c..6104ae08 100644
--- a/docs/OAuth/Error.html
+++ b/docs/OAuth/Error.html
@@ -118,7 +118,7 @@ 
    Direct Known Subclasses
    
 
 
       
diff --git a/docs/OAuth/Helper.html b/docs/OAuth/Helper.html
index a2ce0b90..1ca69503 100644
--- a/docs/OAuth/Helper.html
+++ b/docs/OAuth/Helper.html
@@ -338,13 +338,33 @@ 
    
 
 20
 21
-22
    
+22
+23
+24
+25
+26
+27
+28
+29
+30
+31
+32
    
         		
     
       
    # File 'lib/oauth/helper.rb', line 20
 
 def _escape(string)
-  URI::DEFAULT_PARSER.escape(string, OAuth::RESERVED_CHARACTERS)
+  # Percent-encode per RFC 3986 (unreserved: A-Z a-z 0-9 - . _ ~)
+  # Encode by byte to ensure stable behavior across Ruby versions and encodings.
+  bytes = string.to_s.b.bytes
+  bytes.map do |b|
+    ch = b.chr
+    if ch =~ OAuth::RESERVED_CHARACTERS
+      "%%%02X" % b
+    else
+      ch
+    end
+  end.join
 end
    
         		
   
    
-      
    # File 'lib/oauth/helper.rb', line 30
+      
    # File 'lib/oauth/helper.rb', line 52
 
 def generate_key(size = 32)
   Base64.encode64(OpenSSL::Random.random_bytes(size)).gsub(/\W/, "")
@@ -467,12 +487,12 @@ 
    
       
     
 
-36
-37
-38
    
+58
+59
+60
    
     
    		
     
-      
    # File 'lib/oauth/helper.rb', line 36
+      
    # File 'lib/oauth/helper.rb', line 58
 
 def generate_timestamp # :nodoc:
   Time.now.to_i.to_s
@@ -513,30 +533,30 @@ 
    
       
     
 
-47
-48
-49
-50
-51
-52
-53
-54
-55
-56
-57
-58
-59
-60
-61
-62
-63
-64
-65
-66
-67
    
+69
+70
+71
+72
+73
+74
+75
+76
+77
+78
+79
+80
+81
+82
+83
+84
+85
+86
+87
+88
+89
    
     
    		
     
-      
    # File 'lib/oauth/helper.rb', line 47
+      
    # File 'lib/oauth/helper.rb', line 69
 
 def normalize(params)
   params.sort.map do |k, values|
@@ -591,23 +611,23 @@ 
    
       
     
 
-72
-73
-74
-75
-76
-77
-78
-79
-80
-81
-82
-83
-84
-85
    
+94
+95
+96
+97
+98
+99
+100
+101
+102
+103
+104
+105
+106
+107
    
     
    		
     
-      
    # File 'lib/oauth/helper.rb', line 72
+      
    # File 'lib/oauth/helper.rb', line 94
 
 def normalize_nested_query(value, prefix = nil)
   case value
@@ -672,26 +692,26 @@ 
    
       
     
 
-95
-96
-97
-98
-99
-100
-101
-102
-103
-104
-105
-106
-107
-108
-109
-110
-111
    
+117
+118
+119
+120
+121
+122
+123
+124
+125
+126
+127
+128
+129
+130
+131
+132
+133
    
     
    		
     
-      
    # File 'lib/oauth/helper.rb', line 95
+      
    # File 'lib/oauth/helper.rb', line 117
 
 def parse_header(header)
   # decompose
@@ -730,16 +750,16 @@ 
    
       
     
 
-113
-114
-115
-116
-117
-118
-119
    
+135
+136
+137
+138
+139
+140
+141
    
     
    		
     
-      
    # File 'lib/oauth/helper.rb', line 113
+      
    # File 'lib/oauth/helper.rb', line 135
 
 def stringify_keys(hash)
   new_h = {}
@@ -768,15 +788,39 @@ 
    
       
     
 
-24
-25
-26
    
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
    
     
    		
     
-      
    # File 'lib/oauth/helper.rb', line 24
+      
    # File 'lib/oauth/helper.rb', line 34
 
 def unescape(value)
-  URI::DEFAULT_PARSER.unescape(value.gsub("+", "%2B"))
+  # Do NOT treat "+" as space; OAuth treats '+' as a literal plus unless percent-encoded.
+  str = value.to_s.gsub("+", "%2B")
+  # Decode %HH sequences; leave malformed sequences intact.
+  decoded = str.gsub(/%([0-9A-Fa-f]{2})/) { Regexp.last_match(1).to_i(16).chr }
+  # Prefer UTF-8 when the decoded bytes form valid UTF-8; otherwise, return as binary.
+  begin
+    utf8 = decoded.dup
+    utf8.force_encoding(Encoding::UTF_8)
+    decoded = utf8 if utf8.valid_encoding?
+  rescue NameError
+    # Older Rubies without Encoding constants: keep original encoding.
+  end
+  decoded
 end
    
     
    		
   
    
+  
+    
+    
+  
+
    
+      
    +
+
+11
+12
+13
+14
+15
+16
+17
    
+        		
+      
    # File 'lib/oauth/optional.rb', line 11
+
+def em_http_available?
+  # em-http-request provides "em-http" entrypoint
+  require "em-http"
+  true
+rescue LoadError
+  false
+end
    
+    
    
+
+    
+  
+
+
+
+      
+
+    
+  
+
\ No newline at end of file
diff --git a/docs/OAuth/Problem.html b/docs/OAuth/Problem.html
index ea4a1264..29c98d35 100644
--- a/docs/OAuth/Problem.html
+++ b/docs/OAuth/Problem.html
@@ -428,7 +428,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy.html b/docs/OAuth/RequestProxy.html
index aa8b538e..336e410d 100644
--- a/docs/OAuth/RequestProxy.html
+++ b/docs/OAuth/RequestProxy.html
@@ -289,7 +289,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/ActionControllerRequest.html b/docs/OAuth/RequestProxy/ActionControllerRequest.html
index c4aad5bc..9b4629c4 100644
--- a/docs/OAuth/RequestProxy/ActionControllerRequest.html
+++ b/docs/OAuth/RequestProxy/ActionControllerRequest.html
@@ -326,7 +326,11 @@ 
    
 27
 28
 29
-30
    
+30
+31
+32
+33
+34
    
         		
     
       
    # File 'lib/oauth/request_proxy/action_controller_request.rb', line 22
@@ -335,7 +339,11 @@ 
    
   if options[:clobber_request]
     options[:parameters] || {}
   else
-    params = request_params.merge(query_params).merge(header_params)
+    # Rails proxies should expose array-style values for params to align with
+    # historical oauth gem behavior / specs. Header params remain scalars.
+    rq = wrap_values(request_params)
+    qq = wrap_values(query_params)
+    params = rq.merge(qq).merge(header_params)
     params.stringify_keys! if params.respond_to?(:stringify_keys!)
     params.merge(options[:parameters] || {})
   end
@@ -372,10 +380,6 @@ 
    
       
     
 
-35
-36
-37
-38
 39
 40
 41
@@ -388,10 +392,14 @@ 
    
 48
 49
 50
-51
    
+51
+52
+53
+54
+55
    
         		
     
-      
    # File 'lib/oauth/request_proxy/action_controller_request.rb', line 35
+      
    # File 'lib/oauth/request_proxy/action_controller_request.rb', line 39
 
 def parameters_for_signature
   params = []
@@ -453,12 +461,12 @@ 
    
       
     
 
-53
-54
-55
    
+57
+58
+59
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/action_controller_request.rb', line 53
+      
    # File 'lib/oauth/request_proxy/action_controller_request.rb', line 57
 
 def raw_post_signature?
   (request.post? || request.put?) && request.content_type.to_s.downcase.start_with?("application/x-www-form-urlencoded")
@@ -491,7 +499,7 @@ 
    
       
    # File 'lib/oauth/request_proxy/action_controller_request.rb', line 18
 
 def uri
-  request.url
+  options[:uri] || request.url
 end
    
     
    		
   
    
   
   
 
    
+  
+    
+    
+  
+
    
+      
    +
+
+18
+19
+20
+21
+22
+23
+24
+25
+26
+27
    
+        		
+      
    # File 'lib/oauth/request_proxy/action_dispatch_request.rb', line 18
+
+def parameters
+  if options[:clobber_request]
+    options[:parameters] || {}
+  else
+    rq = wrap_values(request_params)
+    qq = wrap_values(query_params)
+    params = rq.merge(qq).merge(header_params)
+    params.merge(options[:parameters] || {})
+  end
+end
    
+    
    
+
    
+    
+      
    
+  
    
+  
+    #uriObject 
+  
+
+  
+
+  
+
    
+  
    
+    
    Prefer the explicitly provided URI, which carries scheme/host info
    
+when ActionDispatch env may be minimal in tests.
    
+
+
+  
    
+
    
+
    
+  
+
+
    
+  
+    
+    
+  
+
    
+      
    +
+
+12
+13
+14
    
+        		
+      
    # File 'lib/oauth/request_proxy/action_dispatch_request.rb', line 12
+
+def uri
+  options[:uri] || super
+end
    
+    
    
+
    
+    
+  
+
 
 
       
diff --git a/docs/OAuth/RequestProxy/Base.html b/docs/OAuth/RequestProxy/Base.html
index 48160cea..fb817984 100644
--- a/docs/OAuth/RequestProxy/Base.html
+++ b/docs/OAuth/RequestProxy/Base.html
@@ -568,7 +568,7 @@ 
    
   
 
   
-    
    
+    
    OAuth 1.0a only: value returned to the Consumer after user authorization and required when exchanging a Request Token for an Access Token.
    
 
    
   
 
@@ -1054,12 +1054,12 @@ 
    
       
     
 
-89
-90
-91
    
+92
+93
+94
    
     
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 89
+      
    # File 'lib/oauth/request_proxy/base.rb', line 92
 
 def non_oauth_parameters
   parameters.select { |k, _v| !OAuth::PARAMETERS.include?(k) }
@@ -1094,12 +1094,12 @@ 
    
       
     
 
-104
-105
-106
    
+107
+108
+109
    
     
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 104
+      
    # File 'lib/oauth/request_proxy/base.rb', line 107
 
 def normalized_parameters
   normalize(parameters_for_signature)
@@ -1134,13 +1134,13 @@ 
    
       
     
 
-98
-99
-100
-101
    
+101
+102
+103
+104
    
     
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 98
+      
    # File 'lib/oauth/request_proxy/base.rb', line 101
 
 def normalized_uri
   u = URI.parse(uri)
@@ -1250,15 +1250,15 @@ 
    
       
     
 
-145
-146
-147
 148
 149
-150
    
+150
+151
+152
+153
    
     
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 145
+      
    # File 'lib/oauth/request_proxy/base.rb', line 148
 
 def oauth_header(options = {})
   header_params_str = oauth_parameters.map { |k, v| "#{k}=\"#{escape(v)}\"" }.join(", ")
@@ -1320,12 +1320,12 @@ 
    
       
     
 
-85
-86
-87
    
+88
+89
+90
    
     
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 85
+      
    # File 'lib/oauth/request_proxy/base.rb', line 88
 
 def oauth_parameters
   parameters.select { |k, v| OAuth::PARAMETERS.include?(k) && !v.nil? && v != "" }
@@ -1492,18 +1492,30 @@ 
    
   
 
   
-
    
+
    
+  
    
+    
    OAuth 1.0a only: value returned to the Consumer after user authorization
    
+and required when exchanging a Request Token for an Access Token.
    
+Not present in OAuth 1.0 flows.
    
+
+
+  
    
+
    
+
    
+  
+
+
    
   
    
     
       
     
 
-59
-60
-61
    
+62
+63
+64
         		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 59
+      
    # File 'lib/oauth/request_proxy/base.rb', line 62
 
 def oauth_verifier
   parameters["oauth_verifier"]
@@ -1528,12 +1540,12 @@ 
    
       
     
 
-63
-64
-65
    
+66
+67
+68
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 63
+      
    # File 'lib/oauth/request_proxy/base.rb', line 66
 
 def oauth_version
   parameters["oauth_version"]
@@ -1581,12 +1593,12 @@ 
    
       
     
 
-77
-78
-79
    
+80
+81
+82
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 77
+      
    # File 'lib/oauth/request_proxy/base.rb', line 80
 
 def parameters
   raise NotImplementedError, "Must be implemented by subclasses"
@@ -1611,12 +1623,12 @@ 
    
       
     
 
-81
-82
-83
    
+84
+85
+86
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 81
+      
    # File 'lib/oauth/request_proxy/base.rb', line 84
 
 def parameters_for_signature
   parameters.select { |k, _v| !signature_and_unsigned_parameters.include?(k) }
@@ -1664,16 +1676,16 @@ 
    
       
     
 
-152
-153
-154
 155
 156
 157
-158
    
+158
+159
+160
+161
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 152
+      
    # File 'lib/oauth/request_proxy/base.rb', line 155
 
 def query_string_blank?
   if (uri = request.env["REQUEST_URI"])
@@ -1702,12 +1714,12 @@ 
    
       
     
 
-108
-109
-110
    
+111
+112
+113
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 108
+      
    # File 'lib/oauth/request_proxy/base.rb', line 111
 
 def sign(options = {})
   OAuth::Signature.sign(self, options)
@@ -1732,14 +1744,14 @@ 
    
       
     
 
-112
-113
-114
 115
-116
    
+116
+117
+118
+119
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 112
+      
    # File 'lib/oauth/request_proxy/base.rb', line 115
 
 def sign!(options = {})
   parameters["oauth_signature"] = sign(options)
@@ -1766,12 +1778,12 @@ 
    
       
     
 
-93
-94
-95
    
+96
+97
+98
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 93
+      
    # File 'lib/oauth/request_proxy/base.rb', line 96
 
 def signature_and_unsigned_parameters
   unsigned_parameters + ["oauth_signature"]
@@ -1806,13 +1818,13 @@ 
    
       
     
 
-119
-120
-121
-122
    
+122
+123
+124
+125
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 119
+      
    # File 'lib/oauth/request_proxy/base.rb', line 122
 
 def signature_base_string
   base = [method, normalized_uri, normalized_parameters]
@@ -1861,12 +1873,12 @@ 
    
       
     
 
-125
-126
-127
    
+128
+129
+130
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 125
+      
    # File 'lib/oauth/request_proxy/base.rb', line 128
 
 def signed?
   @signed
@@ -1901,9 +1913,6 @@ 
    
       
     
 
-130
-131
-132
 133
 134
 135
@@ -1913,10 +1922,13 @@ 
    
 139
 140
 141
-142
    
+142
+143
+144
+145
    
     
    		
     
-      
    # File 'lib/oauth/request_proxy/base.rb', line 130
+      
    # File 'lib/oauth/request_proxy/base.rb', line 133
 
 def signed_uri(with_oauth: true)
   if signed?
@@ -1941,7 +1953,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/Curl.html b/docs/OAuth/RequestProxy/Curl.html
index e31855e3..17db00e9 100644
--- a/docs/OAuth/RequestProxy/Curl.html
+++ b/docs/OAuth/RequestProxy/Curl.html
@@ -105,7 +105,7 @@ 
    Defined Under Namespace
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/Curl/Easy.html b/docs/OAuth/RequestProxy/Curl/Easy.html
index 954cd148..7dfb9897 100644
--- a/docs/OAuth/RequestProxy/Curl/Easy.html
+++ b/docs/OAuth/RequestProxy/Curl/Easy.html
@@ -330,7 +330,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/EventMachine.html b/docs/OAuth/RequestProxy/EventMachine.html
index c89c5da6..e76c6c87 100644
--- a/docs/OAuth/RequestProxy/EventMachine.html
+++ b/docs/OAuth/RequestProxy/EventMachine.html
@@ -105,7 +105,7 @@ 
    Defined Under Namespace
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/EventMachine/HttpRequest.html b/docs/OAuth/RequestProxy/EventMachine/HttpRequest.html
index b372d87f..efcbb08b 100644
--- a/docs/OAuth/RequestProxy/EventMachine/HttpRequest.html
+++ b/docs/OAuth/RequestProxy/EventMachine/HttpRequest.html
@@ -340,7 +340,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/JabberRequest.html b/docs/OAuth/RequestProxy/JabberRequest.html
index f456ef6b..53e098dc 100644
--- a/docs/OAuth/RequestProxy/JabberRequest.html
+++ b/docs/OAuth/RequestProxy/JabberRequest.html
@@ -417,7 +417,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/MockRequest.html b/docs/OAuth/RequestProxy/MockRequest.html
index f9963627..42b82047 100644
--- a/docs/OAuth/RequestProxy/MockRequest.html
+++ b/docs/OAuth/RequestProxy/MockRequest.html
@@ -407,7 +407,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/Net.html b/docs/OAuth/RequestProxy/Net.html
index 41c8f3bf..75629671 100644
--- a/docs/OAuth/RequestProxy/Net.html
+++ b/docs/OAuth/RequestProxy/Net.html
@@ -105,7 +105,7 @@ 
    Defined Under Namespace
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/Net/HTTP.html b/docs/OAuth/RequestProxy/Net/HTTP.html
index 434cf263..4df05347 100644
--- a/docs/OAuth/RequestProxy/Net/HTTP.html
+++ b/docs/OAuth/RequestProxy/Net/HTTP.html
@@ -105,7 +105,7 @@ 
    Defined Under Namespace
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/Net/HTTP/HTTPRequest.html b/docs/OAuth/RequestProxy/Net/HTTP/HTTPRequest.html
index 36a5e881..b2c078c8 100644
--- a/docs/OAuth/RequestProxy/Net/HTTP/HTTPRequest.html
+++ b/docs/OAuth/RequestProxy/Net/HTTP/HTTPRequest.html
@@ -383,7 +383,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/RackRequest.html b/docs/OAuth/RequestProxy/RackRequest.html
index a9a29eac..a7fbbbe3 100644
--- a/docs/OAuth/RequestProxy/RackRequest.html
+++ b/docs/OAuth/RequestProxy/RackRequest.html
@@ -389,7 +389,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/RestClient.html b/docs/OAuth/RequestProxy/RestClient.html
index c2d9a6a6..76090a94 100644
--- a/docs/OAuth/RequestProxy/RestClient.html
+++ b/docs/OAuth/RequestProxy/RestClient.html
@@ -105,7 +105,7 @@ 
    Defined Under Namespace
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/RestClient/Request.html b/docs/OAuth/RequestProxy/RestClient/Request.html
index c2060756..597f817e 100644
--- a/docs/OAuth/RequestProxy/RestClient/Request.html
+++ b/docs/OAuth/RequestProxy/RestClient/Request.html
@@ -330,7 +330,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/Typhoeus.html b/docs/OAuth/RequestProxy/Typhoeus.html
index 88365dca..c3fccf88 100644
--- a/docs/OAuth/RequestProxy/Typhoeus.html
+++ b/docs/OAuth/RequestProxy/Typhoeus.html
@@ -105,7 +105,7 @@ 
    Defined Under Namespace
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/Typhoeus/Request.html b/docs/OAuth/RequestProxy/Typhoeus/Request.html
index b27c3fab..0161d100 100644
--- a/docs/OAuth/RequestProxy/Typhoeus/Request.html
+++ b/docs/OAuth/RequestProxy/Typhoeus/Request.html
@@ -332,7 +332,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/RequestProxy/UnknownRequestType.html b/docs/OAuth/RequestProxy/UnknownRequestType.html
index 6df208af..bef2a962 100644
--- a/docs/OAuth/RequestProxy/UnknownRequestType.html
+++ b/docs/OAuth/RequestProxy/UnknownRequestType.html
@@ -114,7 +114,7 @@
 
 
       
diff --git a/docs/OAuth/RequestToken.html b/docs/OAuth/RequestToken.html
index 45dac62e..81c30c73 100644
--- a/docs/OAuth/RequestToken.html
+++ b/docs/OAuth/RequestToken.html
@@ -473,7 +473,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Server.html b/docs/OAuth/Server.html
index 642d1295..05f6ab6d 100644
--- a/docs/OAuth/Server.html
+++ b/docs/OAuth/Server.html
@@ -830,7 +830,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/ServerToken.html b/docs/OAuth/ServerToken.html
index 5bbf56e4..9442213e 100644
--- a/docs/OAuth/ServerToken.html
+++ b/docs/OAuth/ServerToken.html
@@ -230,7 +230,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Signature.html b/docs/OAuth/Signature.html
index 8596ca91..b2902c17 100644
--- a/docs/OAuth/Signature.html
+++ b/docs/OAuth/Signature.html
@@ -535,7 +535,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Signature/Base.html b/docs/OAuth/Signature/Base.html
index e588c56b..220baff4 100644
--- a/docs/OAuth/Signature/Base.html
+++ b/docs/OAuth/Signature/Base.html
@@ -915,7 +915,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Signature/HMAC.html b/docs/OAuth/Signature/HMAC.html
index 89059654..8582d78a 100644
--- a/docs/OAuth/Signature/HMAC.html
+++ b/docs/OAuth/Signature/HMAC.html
@@ -107,7 +107,7 @@ 
    Defined Under Namespace
    
 
 
       
diff --git a/docs/OAuth/Signature/HMAC/SHA1.html b/docs/OAuth/Signature/HMAC/SHA1.html
index 1a31f41e..2bfdcb8d 100644
--- a/docs/OAuth/Signature/HMAC/SHA1.html
+++ b/docs/OAuth/Signature/HMAC/SHA1.html
@@ -216,7 +216,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Signature/HMAC/SHA256.html b/docs/OAuth/Signature/HMAC/SHA256.html
index 341694ab..9211eb00 100644
--- a/docs/OAuth/Signature/HMAC/SHA256.html
+++ b/docs/OAuth/Signature/HMAC/SHA256.html
@@ -216,7 +216,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Signature/PLAINTEXT.html b/docs/OAuth/Signature/PLAINTEXT.html
index f6b3e86d..8901c040 100644
--- a/docs/OAuth/Signature/PLAINTEXT.html
+++ b/docs/OAuth/Signature/PLAINTEXT.html
@@ -375,7 +375,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Signature/RSA.html b/docs/OAuth/Signature/RSA.html
index b075b17a..104f22a9 100644
--- a/docs/OAuth/Signature/RSA.html
+++ b/docs/OAuth/Signature/RSA.html
@@ -105,7 +105,7 @@ 
    Defined Under Namespace
    
 
 
       
diff --git a/docs/OAuth/Signature/RSA/SHA1.html b/docs/OAuth/Signature/RSA/SHA1.html
index e1e5dc8f..d8736c52 100644
--- a/docs/OAuth/Signature/RSA/SHA1.html
+++ b/docs/OAuth/Signature/RSA/SHA1.html
@@ -352,7 +352,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Signature/UnknownSignatureMethod.html b/docs/OAuth/Signature/UnknownSignatureMethod.html
index b86db311..7e694f79 100644
--- a/docs/OAuth/Signature/UnknownSignatureMethod.html
+++ b/docs/OAuth/Signature/UnknownSignatureMethod.html
@@ -114,7 +114,7 @@
 
 
       
diff --git a/docs/OAuth/Token.html b/docs/OAuth/Token.html
index 461a86cc..c613c120 100644
--- a/docs/OAuth/Token.html
+++ b/docs/OAuth/Token.html
@@ -428,7 +428,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Unauthorized.html b/docs/OAuth/Unauthorized.html
index 4a4f8212..e2596d58 100644
--- a/docs/OAuth/Unauthorized.html
+++ b/docs/OAuth/Unauthorized.html
@@ -351,7 +351,7 @@ 
    
 
 
       
diff --git a/docs/OAuth/Version.html b/docs/OAuth/Version.html
index 10727d86..1f5c53c9 100644
--- a/docs/OAuth/Version.html
+++ b/docs/OAuth/Version.html
@@ -111,7 +111,7 @@ 
    
 
 
       
diff --git a/docs/_index.html b/docs/_index.html
index c9bd9d69..a4e5df9a 100644
--- a/docs/_index.html
+++ b/docs/_index.html
@@ -369,6 +369,13 @@ 
    Namespace Listing A-Z
    
                 
               
             
+              
  • 
+                Optional
+                
+                  (OAuth)
+                
+              
    • 
+            
           
         
       
@@ -583,7 +590,7 @@ 
    Namespace Listing A-Z
    
 
 
       
diff --git a/docs/class_list.html b/docs/class_list.html
index cca39ba9..8e1be508 100644
--- a/docs/class_list.html
+++ b/docs/class_list.html
@@ -46,7 +46,7 @@ 
    Class List
    
 
       
     
diff --git a/docs/file.CHANGELOG.html b/docs/file.CHANGELOG.html
index ad6d6ef9..08d696fb 100644
--- a/docs/file.CHANGELOG.html
+++ b/docs/file.CHANGELOG.html
@@ -71,14 +71,28 @@
 
    Unreleased
    
 
    Added
    
 
      
-  
    • kettle-dev v1.1.18
+  
    • kettle-dev v1.1.18
      • 
+  
    • Internal escape & unescape methods
+    
        
+      
      • Stop relying on URI / CGI for escaping and unescaping
        • 
+      
      • They are both unstable across supported versions of Ruby (including 3.5 HEAD)
        • 
+    
      
+  
      • 
+  
    • Tests against Rails-specific code are now run in CI
      • 
+  
    • Documented OAuth 1.0, 1.0a differences
     
      Changed
      
   
      • 
   
    • converted minitest => rspec
     
      Deprecated
      
     
      Removed
      
-    
      Fixed
      
-    
      Security
      
+  
      • 
+  
    • dependency on em-http-request
+    
        
+      
      • now lazy Loaded so it can be optional, since some systems fail to install it, and it doesn’t seem maintained
+        
        Fixed
        
+        
        Security
        
+      
        • 
+    
      
   
      • 
 
    
 
@@ -676,7 +690,7 @@ 
    Added
    
 
 
       
diff --git a/docs/file.CITATION.html b/docs/file.CITATION.html
index 776c0141..78c697fc 100644
--- a/docs/file.CITATION.html
+++ b/docs/file.CITATION.html
@@ -82,7 +82,7 @@
 
 
       
diff --git a/docs/file.CODE_OF_CONDUCT.html b/docs/file.CODE_OF_CONDUCT.html
index ef4a0d83..84b063fe 100644
--- a/docs/file.CODE_OF_CONDUCT.html
+++ b/docs/file.CODE_OF_CONDUCT.html
@@ -191,7 +191,7 @@ 
    Attribution
    
 
 
       
diff --git a/docs/file.CONTRIBUTING.html b/docs/file.CONTRIBUTING.html
index 332d6e97..4f3a7716 100644
--- a/docs/file.CONTRIBUTING.html
+++ b/docs/file.CONTRIBUTING.html
@@ -308,7 +308,7 @@ 
    Manual process
    
 
 
       
diff --git a/docs/file.FUNDING.html b/docs/file.FUNDING.html
index 2c7db7a3..e66a1f7a 100644
--- a/docs/file.FUNDING.html
+++ b/docs/file.FUNDING.html
@@ -104,7 +104,7 @@ 
    Another Way to Support Open
 
 
       
diff --git a/docs/file.LICENSE.html b/docs/file.LICENSE.html
index 78a65b77..e33e0ff7 100644
--- a/docs/file.LICENSE.html
+++ b/docs/file.LICENSE.html
@@ -60,7 +60,7 @@
       
    The MIT License (MIT)

    Copyright (c) 2020-2025 Peter H. Boling, of Galtzo.com, and oauth contributors
    Copyright (c) 2007-2012, 2016-2017 Blaine Cook, Larry Halff, Pelle Braendgaard

    Permission is hereby granted, free of charge, to any person obtaining a copy
    of this software and associated documentation files (the "Software"), to deal
    in the Software without restriction, including without limitation the rights
    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    copies of the Software, and to permit persons to whom the Software is
    furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in
    all copies or substantial portions of the Software.

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    THE SOFTWARE.
    
 
       
diff --git a/docs/file.README.html b/docs/file.README.html
index 9163133c..1c2ec0f2 100644
--- a/docs/file.README.html
+++ b/docs/file.README.html
@@ -84,6 +84,43 @@ 
    🌻 Synopsis
    
 oauth2 sibling gem for OAuth 2.0 implementations in Ruby.
 
 
+
    OAuth 1.0 vs 1.0a: What this library implements
    
+
+
    This gem targets the OAuth 1.0a behavior (the errata that became RFC 5849), while maintaining compatibility with providers that still behave like classic 1.0.
    
+Here are the key lines between the two and how this gem handles them:
    
+
+
      
+  
    • oauth_callback
+    
        
+      
      • 1.0: Optional in practice; some providers accepted flows without it.
        • 
+      
      • 1.0a: Consumer SHOULD send oauth_callback when obtaining a Request Token, or explicitly use the out-of-band value “oob”.
        • 
+      
      • This gem: If you do not pass oauth_callback, we default it to “oob” (OUT_OF_BAND). You can opt-out by passing exclude_callback: true.
        • 
+    
      
+  
      • 
+  
    • oauth_callback_confirmed
+    
        
+      
      • 1.0: Not specified.
        • 
+      
      • 1.0a: Service Provider MUST return oauth_callback_confirmed=true with the Request Token response. This mitigates session fixation.
        • 
+      
      • This gem: Parses token responses but does not include oauth_callback_confirmed in the signature base string (it is a response param, not a signed request param).
        • 
+    
      
+  
      • 
+  
    • oauth_verifier
+    
        
+      
      • 1.0: Not present.
        • 
+      
      • 1.0a: After the user authorizes, the Provider returns an oauth_verifier to the Consumer, and the Consumer MUST include it when exchanging the Request Token for an Access Token.
        • 
+      
      • This gem: Supports oauth_verifier across request helpers and request proxies; pass oauth_verifier to get_access_token in 3‑legged flows.
        • 
+    
      
+  
      • 
+
    
+
+
    Practical guidance:
    
+
      
+  
    • For 3‑legged flows, always supply oauth_callback when calling consumer.get_request_token, and include oauth_verifier when calling request_token.get_access_token.
      • 
+  
    • For command‑line or non-HTTP clients, use the special OUT_OF_BAND value (“oob”) as the oauth_callback and prompt the user to paste back the displayed verifier.
      • 
+
    
+
+
    References: RFC 5849 (OAuth 1.0), sections 5–7; 1.0a security errata.
    
+
 
    OAuth Ruby has been maintained by a large number of talented
    
 individuals over the years.
    
 The primary maintainer since 2020 is Peter Boling (@pboling).
    
@@ -552,7 +589,7 @@ 
    Please give the project a star ⭐ ♥
 
 
       
diff --git a/docs/file.REEK.html b/docs/file.REEK.html
index a0fc47a4..d576468b 100644
--- a/docs/file.REEK.html
+++ b/docs/file.REEK.html
@@ -61,7 +61,7 @@
 
 
       
diff --git a/docs/file.RUBOCOP.html b/docs/file.RUBOCOP.html
index 974313be..ffbc1200 100644
--- a/docs/file.RUBOCOP.html
+++ b/docs/file.RUBOCOP.html
@@ -161,7 +161,7 @@ 
    Benefits of rubocop_gradual
    
 
 
       
diff --git a/docs/file.SECURITY.html b/docs/file.SECURITY.html
index 62b77c04..39630bf9 100644
--- a/docs/file.SECURITY.html
+++ b/docs/file.SECURITY.html
@@ -128,7 +128,7 @@ 
    Additional Support
    
 
 
       
diff --git a/docs/index.html b/docs/index.html
index 78464185..0aa93e60 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -84,6 +84,43 @@ 
    🌻 Synopsis
    
 oauth2 sibling gem for OAuth 2.0 implementations in Ruby.
 
 
+
    OAuth 1.0 vs 1.0a: What this library implements
    
+
+
    This gem targets the OAuth 1.0a behavior (the errata that became RFC 5849), while maintaining compatibility with providers that still behave like classic 1.0.
    
+Here are the key lines between the two and how this gem handles them:
    
+
+
      
+  
    • oauth_callback
+    
        
+      
      • 1.0: Optional in practice; some providers accepted flows without it.
        • 
+      
      • 1.0a: Consumer SHOULD send oauth_callback when obtaining a Request Token, or explicitly use the out-of-band value “oob”.
        • 
+      
      • This gem: If you do not pass oauth_callback, we default it to “oob” (OUT_OF_BAND). You can opt-out by passing exclude_callback: true.
        • 
+    
      
+  
      • 
+  
    • oauth_callback_confirmed
+    
        
+      
      • 1.0: Not specified.
        • 
+      
      • 1.0a: Service Provider MUST return oauth_callback_confirmed=true with the Request Token response. This mitigates session fixation.
        • 
+      
      • This gem: Parses token responses but does not include oauth_callback_confirmed in the signature base string (it is a response param, not a signed request param).
        • 
+    
      
+  
      • 
+  
    • oauth_verifier
+    
        
+      
      • 1.0: Not present.
        • 
+      
      • 1.0a: After the user authorizes, the Provider returns an oauth_verifier to the Consumer, and the Consumer MUST include it when exchanging the Request Token for an Access Token.
        • 
+      
      • This gem: Supports oauth_verifier across request helpers and request proxies; pass oauth_verifier to get_access_token in 3‑legged flows.
        • 
+    
      
+  
      • 
+
    
+
+
    Practical guidance:
    
+
      
+  
    • For 3‑legged flows, always supply oauth_callback when calling consumer.get_request_token, and include oauth_verifier when calling request_token.get_access_token.
      • 
+  
    • For command‑line or non-HTTP clients, use the special OUT_OF_BAND value (“oob”) as the oauth_callback and prompt the user to paste back the displayed verifier.
      • 
+
    
+
+
    References: RFC 5849 (OAuth 1.0), sections 5–7; 1.0a security errata.
    
+
 
    OAuth Ruby has been maintained by a large number of talented
    
 individuals over the years.
    
 The primary maintainer since 2020 is Peter Boling (@pboling).
    
@@ -552,7 +589,7 @@ 
    Please give the project a star ⭐ ♥
 
 
       
diff --git a/docs/method_list.html b/docs/method_list.html
index e3111ba2..ba3ee007 100644
--- a/docs/method_list.html
+++ b/docs/method_list.html
@@ -368,6 +368,14 @@ 
    Method List
    
   
 
   
  • 
+    
    
+      em_http_available?
+      OAuth::Optional
+    
    
+  
    • 
+  
+
+  
  • 
     
    
       escape
       OAuth::Helper
@@ -375,7 +383,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       from_hash
       OAuth::ConsumerToken
@@ -383,7 +391,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #generate_consumer_credentials
       OAuth::Server
@@ -391,7 +399,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #generate_credentials
       OAuth::Server
@@ -399,7 +407,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       generate_key
       OAuth::Helper
@@ -407,7 +415,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       generate_timestamp
       OAuth::Helper
@@ -415,7 +423,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #get
       OAuth::AccessToken
@@ -423,7 +431,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #get_access_token
       OAuth::Consumer
@@ -431,7 +439,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #get_access_token
       OAuth::RequestToken
@@ -439,7 +447,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #get_request_token
       OAuth::Consumer
@@ -447,7 +455,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #hash_body
       OAuth::Client::Helper
@@ -455,7 +463,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #head
       OAuth::AccessToken
@@ -463,7 +471,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #header
       OAuth::Client::Helper
@@ -471,7 +479,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #http
       OAuth::Consumer
@@ -479,7 +487,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #http_method
       OAuth::Consumer
@@ -487,7 +495,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       implements
       OAuth::Signature::Base
@@ -495,7 +503,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #initialize
       OAuth::Server
@@ -503,7 +511,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #initialize
       OAuth::Consumer
@@ -511,7 +519,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #initialize
       OAuth::Token
@@ -519,7 +527,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #initialize
       OAuth::Client::Helper
@@ -527,7 +535,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #initialize
       OAuth::Problem
@@ -535,7 +543,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #initialize
       OAuth::Signature::Base
@@ -543,7 +551,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #initialize
       OAuth::RequestProxy::Base
@@ -551,7 +559,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #initialize
       OAuth::Unauthorized
@@ -559,7 +567,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #initialize
       OAuth::ServerToken
@@ -567,7 +575,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #initialize
       OAuth::ConsumerToken
@@ -575,7 +583,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #key
       OAuth::Consumer
@@ -583,7 +591,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #method
       OAuth::RequestProxy::Net::HTTP::HTTPRequest
@@ -591,7 +599,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #method
       OAuth::RequestProxy::Curl::Easy
@@ -599,7 +607,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #method
       OAuth::RequestProxy::MockRequest
@@ -607,7 +615,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #method
       OAuth::RequestProxy::RackRequest
@@ -615,7 +623,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #method
       OAuth::RequestProxy::JabberRequest
@@ -623,7 +631,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #method
       OAuth::RequestProxy::EventMachine::HttpRequest
@@ -631,7 +639,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #method
       OAuth::RequestProxy::Typhoeus::Request
@@ -639,7 +647,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #method
       OAuth::RequestProxy::RestClient::Request
@@ -647,7 +655,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #method
       OAuth::RequestProxy::ActionControllerRequest
@@ -655,7 +663,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #mock_incoming_request_with_authorize_header
       OAuth::OAuthTestHelper
@@ -663,7 +671,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #mock_incoming_request_with_query
       OAuth::OAuthTestHelper
@@ -671,7 +679,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #non_oauth_parameters
       OAuth::RequestProxy::Base
@@ -679,7 +687,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #nonce
       OAuth::Client::Helper
@@ -687,7 +695,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       normalize
       OAuth::Helper
@@ -695,7 +703,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       normalize_nested_query
       OAuth::Helper
@@ -703,7 +711,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #normalize_uri
       EventMachine::HttpClient
@@ -711,7 +719,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #normalized_parameters
       OAuth::RequestProxy::Base
@@ -719,7 +727,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #normalized_uri
       OAuth::RequestProxy::Base
@@ -727,7 +735,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #normalized_uri
       OAuth::RequestProxy::MockRequest
@@ -735,7 +743,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #normalized_uri
       OAuth::RequestProxy::JabberRequest
@@ -743,7 +751,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth!
       EventMachine::HttpClient
@@ -751,7 +759,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth!
       Net::HTTPGenericRequest
@@ -759,7 +767,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_callback
       OAuth::RequestProxy::Base
@@ -767,7 +775,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_consumer_key
       OAuth::RequestProxy::Base
@@ -775,7 +783,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_header
       OAuth::RequestProxy::Base
@@ -783,7 +791,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_helper
       EventMachine::HttpClient
@@ -791,7 +799,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_helper
       Net::HTTPGenericRequest
@@ -799,7 +807,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_nonce
       OAuth::RequestProxy::Base
@@ -807,7 +815,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_parameters
       OAuth::Client::Helper
@@ -815,7 +823,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_parameters
       OAuth::RequestProxy::Base
@@ -823,7 +831,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_signature
       OAuth::RequestProxy::Base
@@ -831,7 +839,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_signature_method
       OAuth::RequestProxy::Base
@@ -839,7 +847,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_timestamp
       OAuth::RequestProxy::Base
@@ -847,7 +855,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_token
       OAuth::RequestProxy::Base
@@ -855,7 +863,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_verifier
       OAuth::RequestProxy::Base
@@ -863,7 +871,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #oauth_version
       OAuth::RequestProxy::Base
@@ -871,7 +879,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #options
       OAuth::Consumer
@@ -879,7 +887,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #options
       OAuth::Client::Helper
@@ -887,7 +895,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #options
       OAuth::Signature::Base
@@ -895,7 +903,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #options
       OAuth::RequestProxy::Base
@@ -903,7 +911,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #parameters
       OAuth::Client::Helper
@@ -911,7 +919,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #parameters
       OAuth::RequestProxy::Base
@@ -919,7 +927,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #parameters
       OAuth::RequestProxy::Net::HTTP::HTTPRequest
@@ -927,7 +935,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #parameters
       OAuth::RequestProxy::Curl::Easy
@@ -935,7 +943,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #parameters
       OAuth::RequestProxy::MockRequest
@@ -943,7 +951,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #parameters
       OAuth::RequestProxy::RackRequest
@@ -951,7 +959,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #parameters
       OAuth::RequestProxy::JabberRequest
@@ -959,7 +967,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #parameters
       OAuth::RequestProxy::EventMachine::HttpRequest
@@ -967,7 +975,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #parameters
       OAuth::RequestProxy::Typhoeus::Request
@@ -975,7 +983,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #parameters
       OAuth::RequestProxy::RestClient::Request
@@ -983,6 +991,14 @@ 
    Method List
    
   
    • 
   
 
+  
  • 
+    
    
+      #parameters
+      OAuth::RequestProxy::ActionDispatchRequest
+    
    
+  
    • 
+  
+
   
  • 
     
    
       #parameters
@@ -1616,6 +1632,14 @@ 
    Method List
    
   
 
   
  • 
+    
    
+      #uri
+      OAuth::RequestProxy::ActionDispatchRequest
+    
    
+  
    • 
+  
+
+  
  • 
     
    
       #uri
       OAuth::RequestProxy::ActionControllerRequest
@@ -1623,7 +1647,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       use_oauth?
       ActionController::TestRequest
@@ -1631,7 +1655,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       verify
       OAuth::Signature
@@ -1639,7 +1663,7 @@ 
    Method List
    
   
    • 
   
 
-  
  • 
+  
  • 
     
    
       #verify
       OAuth::Signature::Base
diff --git a/docs/top-level-namespace.html b/docs/top-level-namespace.html
index e2f7a493..dc905275 100644
--- a/docs/top-level-namespace.html
+++ b/docs/top-level-namespace.html
@@ -100,7 +100,7 @@ 
    Defined Under Namespace
    
 
    
 
       
diff --git a/lib/oauth/consumer.rb b/lib/oauth/consumer.rb
index 595aaef5..50607e89 100644
--- a/lib/oauth/consumer.rb
+++ b/lib/oauth/consumer.rb
@@ -142,6 +142,21 @@ def uri(custom_uri = nil)
       end
     end
 
+    # Exchanges a verified Request Token for an Access Token.
+    #
+    # OAuth 1.0 vs 1.0a:
+    # - 1.0a requires including oauth_verifier (as returned by the Provider after
+    #   user authorization) when performing this exchange in a 3‑legged flow.
+    # - 1.0 flows did not include oauth_verifier.
+    #
+    # Usage (3‑legged):
+    #   access_token = request_token.get_access_token(oauth_verifier: params[:oauth_verifier])
+    #
+    # @param request_token [OAuth::RequestToken] The authorized request token
+    # @param request_options [Hash] OAuth or request options (include :oauth_verifier for 1.0a)
+    # @param arguments [Array] Optional POST body and headers
+    # @yield [response_body] If a block is given, yields the raw response body.
+    # @return [OAuth::AccessToken]
     def get_access_token(request_token, request_options = {}, *arguments, &block)
       response = token_request(
         http_method,
@@ -156,18 +171,34 @@ def get_access_token(request_token, request_options = {}, *arguments, &block)
 
     # Makes a request to the service for a new OAuth::RequestToken
     #
-    #  @request_token = @consumer.get_request_token
+    # Example:
+    #   @request_token = @consumer.get_request_token
     #
     # To include OAuth parameters:
-    #
-    #  @request_token = @consumer.get_request_token \
-    #    :oauth_callback => "http://example.com/cb"
+    #   @request_token = @consumer.get_request_token(
+    #     oauth_callback: "http://example.com/cb"
+    #   )
     #
     # To include application-specific parameters:
+    #   @request_token = @consumer.get_request_token({}, foo: "bar")
+    #
+    # OAuth 1.0 vs 1.0a:
+    # - In 1.0a, the Consumer SHOULD send oauth_callback when obtaining a request token
+    #   (or explicitly use OUT_OF_BAND) and the Provider MUST include
+    #   oauth_callback_confirmed=true in the response.
+    # - This library defaults oauth_callback to OUT_OF_BAND ("oob") when not provided,
+    #   which works for both 1.0 and 1.0a, and mirrors common provider behavior.
+    # - The oauth_callback_confirmed response is parsed by the token classes; it is not
+    #   part of the signature base string and thus is not signed.
     #
-    #  @request_token = @consumer.get_request_token({}, :foo => "bar")
+    # TODO: In a future major release, oauth_callback may be made mandatory unless
+    #       request_options[:exclude_callback] is set, to reflect 1.0a guidance.
     #
-    # TODO oauth_callback should be a mandatory parameter
+    # @param request_options [Hash] OAuth options for the request. Notably
+    #   :oauth_callback can be set to a URL, or OAuth::OUT_OF_BAND ("oob").
+    # @param arguments [Array] Optional POST body and headers
+    # @yield [response_body] If a block is given, yields the raw response body.
+    # @return [OAuth::RequestToken]
     def get_request_token(request_options = {}, *arguments, &block)
       # if oauth_callback wasn't provided, it is assumed that oauth_verifiers
       # will be exchanged out of band
diff --git a/lib/oauth/oauth.rb b/lib/oauth/oauth.rb
index b8b09b31..da430ed9 100644
--- a/lib/oauth/oauth.rb
+++ b/lib/oauth/oauth.rb
@@ -1,11 +1,24 @@
 # frozen_string_literal: true
 
 module OAuth
-  # request tokens are passed between the consumer and the provider out of
-  # band (i.e. callbacks cannot be used), per section 6.1.1
+  # Out-Of-Band callback token value.
+  # OAuth 1.0 and 1.0a both support out-of-band flows, where callbacks cannot be used.
+  # See RFC 5849 (OAuth 1.0), Section 6.1.1: Obtaining an Unauthorized Request Token
+  # and the 1.0a errata. Providers treating "oob" as the callback URL indicate that
+  # the verifier (for 1.0a) will be communicated out of band to the Consumer.
   OUT_OF_BAND = "oob"
 
-  # required parameters, per sections 6.1.1, 6.3.1, and 7
+  # OAuth parameter keys this library recognizes when normalizing/signing requests.
+  # Notes on 1.0 vs 1.0a:
+  # - oauth_verifier: Introduced by OAuth 1.0a. Returned to the Consumer after user
+  #   authorization and required when exchanging a Request Token for an Access Token
+  #   (Section 6.3.1 in RFC 5849 / 1.0a change).
+  # - oauth_callback: Present in 1.0; 1.0a clarified that the Consumer MUST send it when
+  #   obtaining a Request Token (or use "oob") and that the Service Provider MUST return
+  #   oauth_callback_confirmed=true with the Request Token response to prevent session
+  #   fixation attacks. Note that oauth_callback_confirmed is a response parameter, not
+  #   a request signing parameter, and thus is not listed here.
+  # Other keys are common to both 1.0 and 1.0a.
   PARAMETERS = %w[
     oauth_callback
     oauth_consumer_key
diff --git a/lib/oauth/request_proxy/base.rb b/lib/oauth/request_proxy/base.rb
index 7107d63e..e4e57b3e 100644
--- a/lib/oauth/request_proxy/base.rb
+++ b/lib/oauth/request_proxy/base.rb
@@ -56,6 +56,9 @@ def oauth_token
         parameters["oauth_token"]
       end
 
+      # OAuth 1.0a only: value returned to the Consumer after user authorization
+      # and required when exchanging a Request Token for an Access Token.
+      # Not present in OAuth 1.0 flows.
       def oauth_verifier
         parameters["oauth_verifier"]
       end