Surprising behavior providing param overrides

Created by: johaywood

I'm running into an interesting scenario -- not sure it's quite a bug, but at least "surprising" -- where providing a set of params to OAuth2::AccessToken#refresh! that includes overrides to the client_id and client_secret. When merging these into the default params provided by OAuth2::Authenticatior#apply_params_auth the resulting request includes duplicate keys for client_id and client_secret in the request body. It looks like this same scenario would be possible in other cases where overrides can be supplied, this is just the only one I ran into and have tested.

This appears to be due to the fact I'm providing my overrides with symbol keys and the defaults are string keys. In Ruby allowing both keys in a hash is totally expected since keys can be any object; however, in the context of this gem it's likely not the intention to have multiple keys with the same semantic meaning.

This scenario isn't likely to be caught testing with something like Webmock to assert that there are no duplicate keys in a request body. When deserializing the query string the keys will be de-duped since we've lost the idea of string vs symbol at that point and the test will pass. Plus for most people this would probably fall under the "don't test the library, test your code" umbrella.

I'm curious about anyone else's thoughts on if this should be considered a bug and, if so, have a discussion about the best approach to fixing it.