[openstreetmap/openstreetmap-website] Bump doorkeeper-openid_connect from 1.9.0 to 1.10.0 (PR #7135)

dependabot[bot] via rails-dev Thu, 04 Jun 2026 07:49:46 -0700

Bumps 
[doorkeeper-openid_connect](https://github.com/doorkeeper-gem/doorkeeper-openid_connect)
 from 1.9.0 to 1.10.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/releases";>doorkeeper-openid_connect's
 releases</a>.</em></p>
<blockquote>
<h2>v1.10.0</h2>
<ul>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/241";>#241</a>
 Fix NameError on doorkeeper master by deferring AR model loading in run_hooks 
(see <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper/pull/1804";>Doorkeeper
 PR</a>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/242";>#242</a>
 Fix <code>NoMethodError</code> for openid_request in testing environments.</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/246";>#246</a>
 Fix <code>at_hash</code> to use correct hash algorithm based on 
<code>signing_algorithm</code></li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/250";>#250</a>
 Return configured <code>issuer</code> instead of <code>root_url</code> in 
WebFinger response (thanks to <a 
href="https://github.com/sato11";><code>@sato11</code></a> for the original 
work in <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/172";>#172</a>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/248";>#248</a>
 Fix <code>max_age</code> always triggering reauthentication when 
<code>auth_time_from_resource_owner</code> returns Integer</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/254";>#254</a>
 <strong>Breaking:</strong> Omit <code>expires_in</code> from the 
<code>response_type=id_token</code> response (OIDC Core §3.2.2.5 — 
<code>expires_in</code> represents the Access Token lifetime; it is still 
returned for <code>response_type=id_token token</code>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/252";>#252</a>
 Treat <code>auth_time_from_resource_owner</code> as optional in 
<code>IdToken</code> — omit <code>auth_time</code> claim when unconfigured 
instead of raising <code>InvalidConfiguration</code></li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/256";>#256</a>
 Accept non-callable values (symbol / string) for the <code>protocol</code> 
config option, matching the pattern used by <code>issuer</code> / 
<code>signing_algorithm</code> / <code>signing_key</code> / 
<code>expiration</code></li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/258";>#258</a>
 Skip <code>IdToken</code> construction on password grants without the 
<code>openid</code> scope</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/259";>#259</a>
 Skip <code>IdToken</code> construction on authorization code grants without 
the <code>openid</code> scope</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/261";>#261</a>
 Fix obsolete RuboCop configuration (<code>require:</code> → 
<code>plugins:</code>, <code>RSpec/FilePath</code> split, remove 
<code>Capybara/FeatureMethods</code>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/263";>#263</a>
 <strong>Security/Breaking:</strong> Determine dynamically registered client's 
<code>confidential</code> flag from <code>token_endpoint_auth_method</code> per 
RFC 7591 — previously every dynamically registered client was created as public 
(<code>confidential: false</code>), which let callers authenticate with only 
<code>client_id</code> (<code>by_uid_and_secret(uid, nil)</code> bypass). 
Default is now <code>client_secret_basic</code> (confidential); 
<code>none</code> produces a public client; unsupported values (e.g. 
<code>private_key_jwt</code>) are rejected with 
<code>invalid_client_metadata</code>. Also derive 
<code>token_endpoint_auth_methods_supported</code> in the response from 
<code>Doorkeeper.configuration.client_credentials_methods</code> instead of a 
hardcoded list, matching <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/236";>#236</a></li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/264";>#264</a>
 Apply safe RuboCop autocorrections and fix resulting artifacts</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/265";>#265</a>
 Add Dynamic Client Registration section to README</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/266";>#266</a>
 Validate <code>application_type</code>, <code>response_types</code>, and 
<code>grant_types</code> parameters in dynamic client registration per RFC 7591 
— reject unsupported values with <code>invalid_client_metadata</code> and echo 
the requested values back in the registration response, instead of silently 
ignoring them and returning the server's global configuration</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/267";>#267</a>
 Add <code>authorize_dynamic_client_registration</code> config option to gate 
the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a 
callable, the block is evaluated in the controller scope (with access to 
<code>request</code>, <code>params</code>, <code>request.headers</code>, etc.) 
and falsy return values reject the request with <code>401 invalid_token</code>. 
Default is <code>nil</code> so the endpoint remains open for backward 
compatibility; consumers should configure this to validate an Initial Access 
Token (or any other authorization scheme) before allowing client 
registration</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/268";>#268</a>
 Update Dynamic Client Registration README for validated metadata 
parameters</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/269";>#269</a>
 Document <code>authorize_dynamic_client_registration</code> in README</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/270";>#270</a>
 Document the unified issuer block signature in README</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/278";>#278</a>
 Test against Ruby 4.0.</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/271";>#271</a>
 <strong>Security:</strong> Add <code>auth_time_from_session</code> config for 
per-session <code>max_age</code> enforcement. The legacy 
<code>auth_time_from_resource_owner</code> cannot distinguish between 
concurrent sessions and is now deprecated for <code>max_age</code> use (see <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/150";>#150</a>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/272";>#272</a>
 Document <code>auth_time_from_session</code> in README (follow-up to <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/271";>#271</a>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/273";>#273</a>
 <strong>Security/Hardening:</strong> Merge framework-controlled registered 
claims last — 
<code>iss</code>/<code>sub</code>/<code>aud</code>/<code>exp</code>/<code>iat</code>/<code>nonce</code>/<code>auth_time</code>
 for the ID Token and <code>sub</code> for UserInfo — so a custom claim block 
can no longer override security-critical values. No legitimate configuration 
relied on this; custom claims that intentionally shadowed a registered claim 
name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/276";>#276</a>
 Get RuboCop to zero offenses: fix <code>Lint/MissingSuper</code> in 
<code>IdTokenResponse</code>, replace <code>puts</code> with <code>warn</code> 
for deprecation notices, and modernise spec style</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/277";>#277</a>
 Fix README inaccuracies (<code>signing_algorithm</code> description and link, 
<code>discovery_url_options</code> endpoint list, 
<code>oauth-authorization-server</code> route) and use constant-time comparison 
in the DCR authorization example to prevent timing attacks on the Initial 
Access Token</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/279";>#279</a>
 Return <code>account_selection_required</code> when a 
<code>prompt=select_account</code> handler does not generate a response, per <a 
href="https://openid.net/specs/openid-connect-core-1_0.html#AuthError";>OIDC 
Core 1.0 §3.1.2.6</a> — previously the authorization silently continued without 
account selection. Adds the missing 
<code>Errors::AccountSelectionRequired</code> class, mirroring the existing 
<code>login_required</code> backstop for 
<code>reauthenticate_resource_owner</code></li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/275";>#275</a>
 Return <code>login_required</code> for <code>max_age</code> reauthentication 
when <code>prompt=none</code>, instead of triggering the interactive 
<code>reauthenticate_resource_owner</code> flow (OIDC Core §3.1.2.1)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/284";>#284</a>
 Document <code>acr</code> / <code>amr</code> claims in README — show how to 
expose Authentication Context Class Reference and Authentication Methods 
References via the <code>claim</code> DSL, with callouts for the 
<code>response:</code> and <code>scope:</code> defaults that silently bite</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/288";>#288</a>
 Document <code>offline_access</code> scope recipe in README — show how to wire 
<code>use_refresh_token</code> with scope-based filtering for OIDC offline 
access</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/281";>#281</a>
 Fix <code>NoMethodError</code> / <code>DoubleRenderError</code> when 
<code>resource_owner_authenticator</code> redirects with a truthy non-model 
value (e.g. <code>current_user || redirect_to(login_url)</code>). Normalize the 
leaked value to <code>nil</code> when <code>performed?</code> and add missing 
<code>if owner</code> guard on <code>select_account</code>.</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/285";>#285</a>
 Document custom <code>jwks_uri</code> path pattern in README — show how to 
advertise a non-default path in the discovery document using Rails' 
<code>direct</code> URL helper</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/283";>#283</a>
 Support multiple signing keys in the JWKS response — <code>signing_key</code> 
now also accepts an array (and callables returning an array). The first entry 
is the active key used to sign new ID tokens; the remaining entries are 
published in the JWKS so clients can still validate tokens signed with a 
retired key during a rotation window. Single-value and callable forms continue 
to work unchanged</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/286";>#286</a>
 Allow claims to be assigned to multiple scopes via <code>scope: [:profile, 
:all_data]</code> — the claim is returned whenever the access token grants any 
of the listed scopes. <strong>Note:</strong> the previously implicit 
<code>Claim#scope=</code> writer (from <code>attr_accessor :scope</code>) is no 
longer provided; rebuild the claim instead of mutating it</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/287";>#287</a>
 Add <code>apply_prompt_to_non_oidc_requests</code> option to honor the 
<code>prompt</code> parameter on plain OAuth requests that do not include the 
<code>openid</code> scope</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/282";>#282</a>
 Allow <code>prompt=none</code> reauthorization with a narrower subset of 
previously-granted scopes (issue <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/63";>#63</a>).
 Per RFC 6749 §1.5, narrower-or-equal scopes do not require fresh user consent; 
previously these requests returned <code>consent_required</code>.</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/290";>#290</a>
 Freeze <code>Claim#scopes</code> and <code>Claim#response</code> arrays at 
construction so callers can't accidentally mutate the claim's internal state 
from outside</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/297";>#297</a>
 Fix the generated initializer's <code>issuer</code> example referencing an 
undefined <code>request</code> local (the block parameter is 
<code>_request</code>), which raised <code>NameError</code> when copied 
verbatim</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/CHANGELOG.md";>doorkeeper-openid_connect's
 changelog</a>.</em></p>
<blockquote>
<h2>v1.10.0 (2026-06-01)</h2>
<blockquote>
<p>[!IMPORTANT]</p>
<ul>
<li><strong>Breaking (arity-2 issuer blocks):</strong> 
<code>resolve_issuer</code> now dispatches arity-2 blocks with 
<code>(resource_owner, application)</code> in all contexts, including 
discovery. In v1.9.0 <code>DiscoveryController</code> passed 
<code>request</code> as the first argument; existing arity-2 blocks that relied 
on this receive <code>(nil, nil)</code> in v1.10.0 and should migrate to 
arity-3 — see <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/298";>#298</a>
 for details and migration examples</li>
</ul>
</blockquote>
<ul>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/241";>#241</a>
 Fix NameError on doorkeeper master by deferring AR model loading in run_hooks 
(see <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper/pull/1804";>Doorkeeper
 PR</a>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/242";>#242</a>
 Fix <code>NoMethodError</code> for openid_request in testing environments.</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/246";>#246</a>
 Fix <code>at_hash</code> to use correct hash algorithm based on 
<code>signing_algorithm</code></li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/250";>#250</a>
 Return configured <code>issuer</code> instead of <code>root_url</code> in 
WebFinger response (thanks to <a 
href="https://github.com/sato11";><code>@sato11</code></a> for the original 
work in <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/172";>#172</a>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/248";>#248</a>
 Fix <code>max_age</code> always triggering reauthentication when 
<code>auth_time_from_resource_owner</code> returns Integer</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/254";>#254</a>
 <strong>Breaking:</strong> Omit <code>expires_in</code> from the 
<code>response_type=id_token</code> response (OIDC Core §3.2.2.5 — 
<code>expires_in</code> represents the Access Token lifetime; it is still 
returned for <code>response_type=id_token token</code>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/252";>#252</a>
 Treat <code>auth_time_from_resource_owner</code> as optional in 
<code>IdToken</code> — omit <code>auth_time</code> claim when unconfigured 
instead of raising <code>InvalidConfiguration</code></li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/256";>#256</a>
 Accept non-callable values (symbol / string) for the <code>protocol</code> 
config option, matching the pattern used by <code>issuer</code> / 
<code>signing_algorithm</code> / <code>signing_key</code> / 
<code>expiration</code></li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/258";>#258</a>
 Skip <code>IdToken</code> construction on password grants without the 
<code>openid</code> scope</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/259";>#259</a>
 Skip <code>IdToken</code> construction on authorization code grants without 
the <code>openid</code> scope</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/261";>#261</a>
 Fix obsolete RuboCop configuration (<code>require:</code> → 
<code>plugins:</code>, <code>RSpec/FilePath</code> split, remove 
<code>Capybara/FeatureMethods</code>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/263";>#263</a>
 <strong>Security/Breaking:</strong> Determine dynamically registered client's 
<code>confidential</code> flag from <code>token_endpoint_auth_method</code> per 
RFC 7591 — previously every dynamically registered client was created as public 
(<code>confidential: false</code>), which let callers authenticate with only 
<code>client_id</code> (<code>by_uid_and_secret(uid, nil)</code> bypass). 
Default is now <code>client_secret_basic</code> (confidential); 
<code>none</code> produces a public client; unsupported values (e.g. 
<code>private_key_jwt</code>) are rejected with 
<code>invalid_client_metadata</code>. Also derive 
<code>token_endpoint_auth_methods_supported</code> in the response from 
<code>Doorkeeper.configuration.client_credentials_methods</code> instead of a 
hardcoded list, matching <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/236";>#236</a></li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/264";>#264</a>
 Apply safe RuboCop autocorrections and fix resulting artifacts</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/265";>#265</a>
 Add Dynamic Client Registration section to README</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/266";>#266</a>
 Validate <code>application_type</code>, <code>response_types</code>, and 
<code>grant_types</code> parameters in dynamic client registration per RFC 7591 
— reject unsupported values with <code>invalid_client_metadata</code> and echo 
the requested values back in the registration response, instead of silently 
ignoring them and returning the server's global configuration</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/267";>#267</a>
 Add <code>authorize_dynamic_client_registration</code> config option to gate 
the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a 
callable, the block is evaluated in the controller scope (with access to 
<code>request</code>, <code>params</code>, <code>request.headers</code>, etc.) 
and falsy return values reject the request with <code>401 invalid_token</code>. 
Default is <code>nil</code> so the endpoint remains open for backward 
compatibility; consumers should configure this to validate an Initial Access 
Token (or any other authorization scheme) before allowing client 
registration</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/268";>#268</a>
 Update Dynamic Client Registration README for validated metadata 
parameters</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/269";>#269</a>
 Document <code>authorize_dynamic_client_registration</code> in README</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/270";>#270</a>
 Document the unified issuer block signature in README</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/278";>#278</a>
 Test against Ruby 4.0.</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/271";>#271</a>
 <strong>Security:</strong> Add <code>auth_time_from_session</code> config for 
per-session <code>max_age</code> enforcement. The legacy 
<code>auth_time_from_resource_owner</code> cannot distinguish between 
concurrent sessions and is now deprecated for <code>max_age</code> use (see <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/150";>#150</a>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/272";>#272</a>
 Document <code>auth_time_from_session</code> in README (follow-up to <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/271";>#271</a>)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/273";>#273</a>
 <strong>Security/Hardening:</strong> Merge framework-controlled registered 
claims last — 
<code>iss</code>/<code>sub</code>/<code>aud</code>/<code>exp</code>/<code>iat</code>/<code>nonce</code>/<code>auth_time</code>
 for the ID Token and <code>sub</code> for UserInfo — so a custom claim block 
can no longer override security-critical values. No legitimate configuration 
relied on this; custom claims that intentionally shadowed a registered claim 
name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/276";>#276</a>
 Get RuboCop to zero offenses: fix <code>Lint/MissingSuper</code> in 
<code>IdTokenResponse</code>, replace <code>puts</code> with <code>warn</code> 
for deprecation notices, and modernise spec style</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/277";>#277</a>
 Fix README inaccuracies (<code>signing_algorithm</code> description and link, 
<code>discovery_url_options</code> endpoint list, 
<code>oauth-authorization-server</code> route) and use constant-time comparison 
in the DCR authorization example to prevent timing attacks on the Initial 
Access Token</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/279";>#279</a>
 Return <code>account_selection_required</code> when a 
<code>prompt=select_account</code> handler does not generate a response, per <a 
href="https://openid.net/specs/openid-connect-core-1_0.html#AuthError";>OIDC 
Core 1.0 §3.1.2.6</a> — previously the authorization silently continued without 
account selection. Adds the missing 
<code>Errors::AccountSelectionRequired</code> class, mirroring the existing 
<code>login_required</code> backstop for 
<code>reauthenticate_resource_owner</code></li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/275";>#275</a>
 Return <code>login_required</code> for <code>max_age</code> reauthentication 
when <code>prompt=none</code>, instead of triggering the interactive 
<code>reauthenticate_resource_owner</code> flow (OIDC Core §3.1.2.1)</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/284";>#284</a>
 Document <code>acr</code> / <code>amr</code> claims in README — show how to 
expose Authentication Context Class Reference and Authentication Methods 
References via the <code>claim</code> DSL, with callouts for the 
<code>response:</code> and <code>scope:</code> defaults that silently bite</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/288";>#288</a>
 Document <code>offline_access</code> scope recipe in README — show how to wire 
<code>use_refresh_token</code> with scope-based filtering for OIDC offline 
access</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/281";>#281</a>
 Fix <code>NoMethodError</code> / <code>DoubleRenderError</code> when 
<code>resource_owner_authenticator</code> redirects with a truthy non-model 
value (e.g. <code>current_user || redirect_to(login_url)</code>). Normalize the 
leaked value to <code>nil</code> when <code>performed?</code> and add missing 
<code>if owner</code> guard on <code>select_account</code>.</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/285";>#285</a>
 Document custom <code>jwks_uri</code> path pattern in README — show how to 
advertise a non-default path in the discovery document using Rails' 
<code>direct</code> URL helper</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/283";>#283</a>
 Support multiple signing keys in the JWKS response — <code>signing_key</code> 
now also accepts an array (and callables returning an array). The first entry 
is the active key used to sign new ID tokens; the remaining entries are 
published in the JWKS so clients can still validate tokens signed with a 
retired key during a rotation window. Single-value and callable forms continue 
to work unchanged</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/286";>#286</a>
 Allow claims to be assigned to multiple scopes via <code>scope: [:profile, 
:all_data]</code> — the claim is returned whenever the access token grants any 
of the listed scopes. <strong>Note:</strong> the previously implicit 
<code>Claim#scope=</code> writer (from <code>attr_accessor :scope</code>) is no 
longer provided; rebuild the claim instead of mutating it</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/287";>#287</a>
 Add <code>apply_prompt_to_non_oidc_requests</code> option to honor the 
<code>prompt</code> parameter on plain OAuth requests that do not include the 
<code>openid</code> scope</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/282";>#282</a>
 Allow <code>prompt=none</code> reauthorization with a narrower subset of 
previously-granted scopes (issue <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/63";>#63</a>).
 Per RFC 6749 §1.5, narrower-or-equal scopes do not require fresh user consent; 
previously these requests returned <code>consent_required</code>.</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/290";>#290</a>
 Freeze <code>Claim#scopes</code> and <code>Claim#response</code> arrays at 
construction so callers can't accidentally mutate the claim's internal state 
from outside</li>
<li><a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/297";>#297</a>
 Fix the generated initializer's <code>issuer</code> example referencing an 
undefined <code>request</code> local (the block parameter is 
<code>_request</code>), which raised <code>NameError</code> when copied 
verbatim</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/77fabfee272b5bb80b8598b1e8acbc1a83615276";><code>77fabfe</code></a>
 [ci skip] Update CHANGELOG.md</li>
<li><a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/fa28d0e5c1e9060a48db2d4701a57c79396fb21d";><code>fa28d0e</code></a>
 Merge pull request <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/297";>#297</a>
 from 55728/docs/initializer-issuer-request-example</li>
<li><a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/12955bd466ee55070c09d9a134c4f552f49915c6";><code>12955bd</code></a>
 Fix NameError in generated initializer's issuer example</li>
<li><a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/1ba053fcf113038c3b85bc27888c7cad36c9ddf2";><code>1ba053f</code></a>
 Merge pull request <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/295";>#295</a>
 from 55728/release/v1.10.0</li>
<li><a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/5291192902c11d0cb3da5b340f80b347ba21fa4d";><code>5291192</code></a>
 Merge pull request <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/290";>#290</a>
 from 55728/refactor/freeze-claim-ivars</li>
<li><a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/3fb4d8c5d9f9e87cfc996b4627f1ec2cd0339a03";><code>3fb4d8c</code></a>
 Release 1.10.0 :tada:</li>
<li><a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/a25775467c84c3e8dba8a227decb27644e2f4a6e";><code>a257754</code></a>
 Merge pull request <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/282";>#282</a>
 from 55728/fix/issue-63-prompt-none-narrower-scopes</li>
<li><a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/40bd9ee2622a1685576b4f30ce88625fd58ec501";><code>40bd9ee</code></a>
 Merge pull request <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/287";>#287</a>
 from 55728/feature/prompt-outside-oidc-requests</li>
<li><a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/95fc976e059b8684e3e0d10f2233f58f89bc1bb9";><code>95fc976</code></a>
 Address Copilot review for <a 
href="https://redirect.github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/282";>#282</a></li>
<li><a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/commit/27b05849e5069faaafe2eb3e3902925929e87f5f";><code>27b0584</code></a>
 Freeze Claim#scopes and Claim#response at construction</li>
<li>Additional commits viewable in <a 
href="https://github.com/doorkeeper-gem/doorkeeper-openid_connect/compare/v1.9.0...v1.10.0";>compare
 view</a></li>
</ul>
</details>
<br />



[![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=doorkeeper-openid_connect&package-manager=bundler&previous-version=1.9.0&new-version=1.10.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter 
it yourself. You can also trigger a rebase manually by commenting `@dependabot 
rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have 
been made to it
- `@dependabot show <dependency name> ignore conditions` will show all of the 
ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot 
creating any more for this dependency (unless you reopen the PR or upgrade to 
it yourself)
You can disable automated security fix PRs for this repo from the [Security 
Alerts 
page](https://github.com/openstreetmap/openstreetmap-website/network/alerts).

</details>
You can view, comment on, or merge this pull request online at:

  https://github.com/openstreetmap/openstreetmap-website/pull/7135

-- Commit Summary --

  * Bump doorkeeper-openid_connect from 1.9.0 to 1.10.0

-- File Changes --

    M Gemfile.lock (6)

-- Patch Links --

https://github.com/openstreetmap/openstreetmap-website/pull/7135.patch
https://github.com/openstreetmap/openstreetmap-website/pull/7135.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/7135
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/[email protected]>

_______________________________________________
rails-dev mailing list
[email protected]
https://lists.openstreetmap.org/listinfo/rails-dev

[openstreetmap/openstreetmap-website] Bump doorkeeper-openid_connect from 1.9.0 to 1.10.0 (PR #7135)

Reply via email to