README.md in rodauth-oauth-0.10.4 vs README.md in rodauth-oauth-1.0.0.pre.beta1

@@ -14,17 +14,17 @@
   * [Access Token generation](https://tools.ietf.org/html/rfc6749#section-1.4);
   * [Access Token refresh token grant](https://tools.ietf.org/html/rfc6749#section-1.5);
   * `oauth_authorization_code_grant` - [Authorization code grant](https://tools.ietf.org/html/rfc6749#section-1.3);
   * `oauth_implicit_grant` - [Implicit grant (off by default)](https://tools.ietf.org/html/rfc6749#section-4.2);
   * `oauth_client_credentials_grant` - [Client credentials grant (off by default)](https://tools.ietf.org/html/rfc6749#section-4.4);
-  * `oauth_device_grant` - [Device code grant (off by default)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-device-flow-15);
+  * `oauth_device_code_grant` - [Device code grant (off by default)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-device-flow-15);
   * `oauth_token_revocation` - [Token revocation](https://tools.ietf.org/html/rfc7009);
   * `oauth_token_introspection` - [Token introspection](https://tools.ietf.org/html/rfc7662);
   * [Authorization Server Metadata](https://tools.ietf.org/html/rfc8414);
   * `oauth_pkce` - [PKCE](https://tools.ietf.org/html/rfc7636);
   * `oauth_jwt` - [JWT Access Tokens](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07);
-    * Supports [JWT Secured Authorization Request](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
+  * `oauth_jwt_secured_authorization_request` - [JWT Secured Authorization Request](https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20);
   * `oauth_resource_indicators` - [Resource Indicators](https://datatracker.ietf.org/doc/html/rfc8707);
   * Access Type (Token refresh online and offline);
 * `oauth_http_mac` - [MAC Authentication Scheme](https://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02);
 * `oauth_assertion_base` - [Assertion Framework](https://datatracker.ietf.org/doc/html/rfc7521);
   * `oauth_saml_bearer_grant` - [SAML 2.0 Bearer Assertion](https://datatracker.ietf.org/doc/html/rfc7522);
@@ -79,12 +79,11 @@
 This tutorial assumes you already read the documentation and know how to set up `rodauth`. After that, integrating `rodauth-oauth` will look like:
 
 ```ruby
 plugin :rodauth do
   # enable it in the plugin
-  enable :login, :oauth
-  oauth_application_default_scope %w[profile.read]
+  enable :login, :oauth_authorization_code_grant
   oauth_application_scopes %w[profile.read profile.write]
 end
 
 # then, inside roda
 
@@ -109,10 +108,11 @@
   end
 
   r.is "books" do
     rodauth.require_oauth_authorization("books.read", "books.research")
     r.get do
+      @books = Book.where(user_id: rodauth.current_oauth_account[:id]).all
       # ...
     end
   end
 end
 ```
@@ -122,11 +122,10 @@
 
 ```ruby
 plugin :rodauth do
   # enable it in the plugin
   enable :login, :oidc
-  oauth_application_default_scope %w[openid]
   oauth_application_scopes %w[openid email profile]
 end
 ```
 
 
@@ -142,14 +141,14 @@
 You can change column names or even use existing tables, however, be aware that you'll have to define new column accessors at the `rodauth` plugin declaration level. Let's say, for instance, you'd like to change the `oauth_grants` table name to `access_grants`, and it's `code` column to `authorization_code`; then, you'd have to do the following:
 
 ```ruby
 plugin :rodauth do
   # enable it in the plugin
-  enable :login, :oauth
+  enable :login, :oauth_authorization_code_grant
   # ...
-  oauth_grants_table "access_grants"
-  oauth_grants_code_column "authorization_code"
+  oauth_grants_table :access_grants
+  oauth_grants_code_column :authorization_code
 end
 ```
 
 If you're starting from scratch though, the recommendation is to stick to the defaults.
 
@@ -193,13 +192,12 @@
 
 You can then enable this feature in `lib/rodauth_app.rb` and set up any options you want:
 
 ```ruby
 # lib/roudauth_app.rb
-enable :oauth
+enable :oauth_authorization_code_grant
 # OAuth
-oauth_application_default_scope "profile.read"
 oauth_application_scopes %w[profile.read profile.write books.read books.write]
 ```
 
 Now that you're set up, you can use the `rodauth` object to deny access to certain subsets of your app/API:
 
@@ -240,38 +238,32 @@
 
 In this section, the non-standard features are going to be described in more detail.
 
 ### Token / Secrets Hashing
 
-Although not human-friendly as passwords, for security reasons, you might not want to store access (and refresh) tokens in the database. If that is the case, You'll have to add the respective hash columns in the table:
+Access tokens, refresh tokens and client secrets are hashed before being stored in the database (using `bcrypt`), by default.
 
-```ruby
-# in migration
-String :token_hash, null: false, token: true
-String :refresh_token_hash, token, true
-# and you DO NOT NEED the token and refresh_token columns anymore!
-```
+Disabling this behaviour is a matter of nullifying the hash column option:
 
-And declare them in the plugin:
-
 ```ruby
 plugin :rodauth do
-  enable :oauth
-  oauth_tokens_token_hash_column :token_hash
-  oauth_tokens_token_hash_column :refresh_token_hash
+  enable :oauth_authorization_code_grant
+
+  # storing access token, refresh token and client secret in plaintext:
+  oauth_grants_token_hash_column nil
+  oauth_grants_refresh_token_hash_column nil
+  oauth_applications_client_secret_hash_column nil
 ```
 
-#### Client Secret
+If you'd like to replace the hashing function (for, let's say, [argon2](https://github.com/technion/ruby-argon2)), you'll need to perform the following overrides:
 
-By default, it's expected that the "client secret" property from an OAuth application is only known by the owner, and only the hash is stored in the database; this way, the authorization server doesn't know what the client secret is, only the application owner. The provided [OAuth Applications Extensions](#oauth-applications) application form contains a "Client Secret" input field for this reason.
-
-However, this extension is optional, and you might want to generate the secrets and store them as is. In that case, you'll have to re-define some options:
-
 ```ruby
 plugin :rodauth do
-  enable :oauth
-  secret_matches? ->(application, secret){ application[:client_secret] == secret }
+  enable :oauth_authorization_code_grant
+
+  secret_matches? { |oauth_application, secret| Argon2::Password.verify_password(secret, oauth_application[oauth_applications_client_secret_hash_column]) }
+  secret_hash { |secret| Argon2::Password.create(secret) }
 end
 ```
 
 #### Internationalization (i18n)
 
@@ -282,10 +274,10 @@
 (This feature is available since `v0.7`.)
 
 
 ## Ruby support policy
 
-The minimum Ruby version required to run `rodauth-oauth` is 2.3 . Besides that, it should support all rubies that rodauth and roda support, including JRuby and truffleruby.
+The minimum Ruby version required to run `rodauth-oauth` is 2.5 . Besides that, it should support all rubies that rodauth and roda support, including JRuby and truffleruby.
 
 ### Rails
 
 If you're interested in using this library with rails, be sure to check `rodauth-rails` policy, as it supports rails 5.2 upwards.