Bump the dependencies group with 20 updates

[dependabot]

Bumps the dependencies group with 20 updates:

Package	From	To
jbuilder	2.14.1	2.15.1
bootsnap	1.24.4	1.24.6
strong_migrations	2.7.0	2.8.0
omniauth-microsoft_graph	2.1.0	2.2.0
doorkeeper	5.9.0	5.9.3
doorkeeper-i18n	5.2.8	5.2.9
doorkeeper-openid_connect	1.9.0	1.10.1
faraday	2.14.2	2.14.3
dalli	5.0.2	5.0.5
opentelemetry-instrumentation-all	0.93.0	0.94.0
marcel	1.1.0	1.2.1
aws-sdk-s3	1.222.0	1.225.1
image_processing	1.14.0	2.0.2
listen	3.9.0	3.10.0
overcommit	0.69.0	0.71.0
brakeman	8.0.4	8.0.5
jwt	2.10.2	2.10.3
puma	8.0.1	8.0.2
selenium-webdriver	4.44.0	4.45.0
database_consistency	3.0.4	3.0.5

Updates jbuilder from 2.14.1 to 2.15.1

Release notes

Sourced from jbuilder's releases.

v2.15.1

What's Changed

• Fix partial for Active Model when extra locals are passed in by @​rafaelfranca in rails/jbuilder#617

New Contributors

• @​rafaelfranca made their first contribution in rails/jbuilder#617

Full Changelog: rails/jbuilder@v2.15.0...v2.15.1

v2.15.0

What's Changed

• Optimize KeyFormatter on cache hits by @​moberegger in rails/jbuilder#607
• Make method_missing private by @​alexceder in rails/jbuilder#614
• Optimize array! and set! by @​moberegger in rails/jbuilder#604
• Use :unprocessable_content for scaffolds with Rack 3.1 or higher by @​taketo1113 in rails/jbuilder#603
• Optimize _map_collection by @​moberegger in rails/jbuilder#612
• fix: Preserve locals when rendering inline partial for object by @​moberegger in rails/jbuilder#613

New Contributors

• @​mayur-kambariya made their first contribution in rails/jbuilder#609
• @​alexceder made their first contribution in rails/jbuilder#614
• @​taketo1113 made their first contribution in rails/jbuilder#603

Full Changelog: rails/jbuilder@v2.14.1...v2.15.0

Commits

• 31eb6e9 Prepare for 2.15.1
• 154b0fe Merge pull request #617 from rails/rm-fix-616
• d3e763b Fix partial for Active Model when extra locals are passed in
• 018083d Prepare for 2.15.0
• 72cf067 Update devcontainer image to Ruby 4.0.4 and add devcontainer-lock.json
• d35a962 Merge pull request #615 from taketo1113/ci-rails8.1-ruby4.0
• cc42e7e CI: Add Rails 8.1 & Ruby 4.0 to CI Matrix
• cd7482e Merge pull request #613 from affinity/moberegger/fix-inline-partial-locals-be
• 58283a0 Merge pull request #612 from affinity/moberegger/optimize-_map_collection
• 09ca3e1 Merge pull request #603 from taketo1113/update-rack-unprocessable_content
• Additional commits viewable in compare view

Updates bootsnap from 1.24.4 to 1.24.6

Changelog

Sourced from bootsnap's changelog.

1.24.6

• Fix detection of Ruby bug #22023 on some patch versions of Ruby 3.4, and properly apply the workaround.

1.24.5

• No longer load the config file by default when setup is done manually. This is so cli applications like homebrew don't mistakenly load another app's boostnap config.

Commits

• 026e183 Release 1.24.6
• 263e346 Merge pull request #556 from byroot/remove-canary
• 7c31cd8 Check for [Bug #22023] by checking Ruby version rather than a canary
• 54eba76 Merge pull request #554 from byroot/namespace-overflow
• fe963d5 bs_cache_path: account for namespace length
• 7b42db6 Merge pull request #553 from arpitjain099/chore/declare-workflow-perms
• 113b184 ci: add permissions: contents: read to ci
• d6ca050 Release 1.24.5
• 579aa0e Merge pull request #552 from byroot/fix-bootsnap-config
• 2884e89 Only load config file is directed to by .setup
• Additional commits viewable in compare view

Updates strong_migrations from 2.7.0 to 2.8.0

Changelog

Sourced from strong_migrations's changelog.

2.8.0 (2026-05-14)

• Added check for rename_enum_value

Commits

• a0d8963 Version bump to 2.8.0 [skip ci]
• 49c0ba7 Updated readme [skip ci]
• b54aff7 Updated readme [skip ci]
• 44ea6d5 Added check for rename_enum_value
• See full diff in compare view

Updates omniauth-microsoft_graph from 2.1.0 to 2.2.0

Commits

• 30d84c4 bump version 2.2.0 as 2.1.0 already exists (#51)
• 8688404 bump version 2.1.0 (#50)
• c8d9639 Fix email domain up domain case sensitive comparison (#42)
• ad4fd02 Update sinatra requirement from ~> 2.2 to ~> 4.1 in the bundler group (#40)
• 764ebe7 Relax version constraint for jwt gem (#49)
• See full diff in compare view

Updates doorkeeper from 5.9.0 to 5.9.3

Release notes

Sourced from doorkeeper's releases.

v5.9.3

• #1834 Fix default allow_token_introspection returning false when a custom application_class is configured. The default proc compared application objects with ==, which fails when the authorized client and the introspected token's application are resolved as different classes (e.g. a base Doorkeeper::Application vs. a configured subclass) even though they reference the same record. It now compares application ids instead.
• #1832 Fix confusing belongs_to :owner side effect: Doorkeeper::Models::Ownership is now included only when enable_application_owner? is set (read at include time), so models no longer expose a misleading owner association/reflection when the application owner feature is disabled and the schema lacks the owner columns.

v5.9.2

• #1822#1823#1825 Update Rubocop config, auto-corrections and codebase cleanup.
• #1830 Fix NameError: uninitialized constant ApplicationRecord on rails db:seed (and other non-eager-loading flows) caused by on_load(:active_record) firing re-entrantly during ApplicationRecord autoload. The orm hooks no longer depend on ActiveSupport.on_load(:active_record); model concerns (Ownership, PolymorphicResourceOwner::ForAccessGrant, PolymorphicResourceOwner::ForAccessToken) are now wired up from each Mixins::* included block, which fires at parent-class autoload time — after Doorkeeper.configure has applied user settings and without re-entering the AR load chain.
  • Upgrade note: fully custom model classes that don't include Doorkeeper::Orm::ActiveRecord::Mixins::{Application,AccessToken,AccessGrant} will no longer auto-receive Ownership / PolymorphicResourceOwner concerns (previously injected by run_orm_hooks via the configured class name). Either inherit from the Doorkeeper default model, include the corresponding Mixins::* module, or include the concerns directly.

v5.9.1

• #1781 Honor handle_auth_errors :raise in AuthorizationsController#authorize_response

• #1795 Fix: detailed error 'insufficient_scope' in protected resources 403s

• #1797 Fix doorkeeper:db:cleanup rake task failure on PostgreSQL

• #1800 Set @grant_type in ClientCredentialsRequest and RefreshTokenRequest constructors so request.grant_type returns the correct value in hooks like before_successful_strategy_response.

• #1802 Fix filter_parameters not applied when Doorkeeper.configure is called inside to_prepare.

• #1804 Use ActiveSupport.on_load(:active_record) in ORM hooks to prevent loading ActiveRecord models too early

• #1806 Fix token revocation bypass for public clients (RFC 7009)

• #1815 Expose current_resource_owner as a view helper in Doorkeeper::ApplicationController.

• #1818 Fix token introspection returning exp: 0 for non-expiring tokens.

• #1784 Remove hardcoded colons from view templates, move punctuation to i18n translation strings.

  [IMPORTANT]: if you have customized Doorkeeper views (authorizations/new, authorizations/show, applications/show) or overridden the default en.yml translations, you may need to update them. Colons are no longer hardcoded in the views — they are now part of the translation strings. Update the doorkeeper-i18n gem to get the updated translations for all locales.

• #1820 Remove dead wildcard presence check in Scopes#dynamic_scope_match? (internal cleanup, no behavior change).

• #1822 Update Rubocop config, auto-corrections.

• #1823 Update Rubocop config, part 2.

• #1825 Update Rubocop config, part 3.

• #1821 Fix noisy Could not find command "no_previous_refresh_token_column?" Thor output during the PreviousRefreshTokenGenerator spec by stubbing the underlying DB column check instead of the generator's private method (test-only change).

Changelog

Sourced from doorkeeper's changelog.

5.9.3

• #1834 Fix default allow_token_introspection returning false when a custom application_class is configured. The default proc compared application objects with ==, which fails when the authorized client and the introspected token's application are resolved as different classes (e.g. a base Doorkeeper::Application vs. a configured subclass) even though they reference the same record. It now compares application ids instead.
• #1832 Fix confusing belongs_to :owner side effect: Doorkeeper::Models::Ownership is now included only when enable_application_owner? is set (read at include time), so models no longer expose a misleading owner association/reflection when the application owner feature is disabled and the schema lacks the owner columns.

5.9.2

• #1822#1823#1825 Update Rubocop config, auto-corrections and codebase cleanup.
• #1830 Fix NameError: uninitialized constant ApplicationRecord on rails db:seed (and other non-eager-loading flows) caused by on_load(:active_record) firing re-entrantly during ApplicationRecord autoload. The orm hooks no longer depend on ActiveSupport.on_load(:active_record); model concerns (Ownership, PolymorphicResourceOwner::ForAccessGrant, PolymorphicResourceOwner::ForAccessToken) are now wired up from each Mixins::* included block, which fires at parent-class autoload time — after Doorkeeper.configure has applied user settings and without re-entering the AR load chain.
  • Upgrade note: fully custom model classes that don't include Doorkeeper::Orm::ActiveRecord::Mixins::{Application,AccessToken,AccessGrant} will no longer auto-receive Ownership / PolymorphicResourceOwner concerns (previously injected by run_orm_hooks via the configured class name). Either inherit from the Doorkeeper default model, include the corresponding Mixins::* module, or include the concerns directly.

5.9.1

• #1781 Honor handle_auth_errors :raise in AuthorizationsController#authorize_response

• #1795 Fix: detailed error 'insufficient_scope' in protected resources 403s

• #1797 Fix doorkeeper:db:cleanup rake task failure on PostgreSQL

• #1800 Set @grant_type in ClientCredentialsRequest and RefreshTokenRequest constructors so request.grant_type returns the correct value in hooks like before_successful_strategy_response.

• #1802 Fix filter_parameters not applied when Doorkeeper.configure is called inside to_prepare.

• #1804 Use ActiveSupport.on_load(:active_record) in ORM hooks to prevent loading ActiveRecord models too early

• #1806 Fix token revocation bypass for public clients (RFC 7009)

• #1815 Expose current_resource_owner as a view helper in Doorkeeper::ApplicationController.

• #1818 Fix token introspection returning exp: 0 for non-expiring tokens.

• #1784 Remove hardcoded colons from view templates, move punctuation to i18n translation strings.

  [IMPORTANT]: if you have customized Doorkeeper views (authorizations/new, authorizations/show, applications/show) or overridden the default en.yml translations, you may need to update them. Colons are no longer hardcoded in the views — they are now part of the translation strings. Update the doorkeeper-i18n gem to get the updated translations for all locales.

• #1820 Remove dead wildcard presence check in Scopes#dynamic_scope_match? (internal cleanup, no behavior change).

• #1822 Update Rubocop config, auto-corrections.

• #1823 Update Rubocop config, part 2.

• #1825 Update Rubocop config, part 3.

• #1821 Fix noisy Could not find command "no_previous_refresh_token_column?" Thor output during the PreviousRefreshTokenGenerator spec by stubbing the underlying DB column check instead of the generator's private method (test-only change).

Commits

• 4737ffe Release 5.9.3 🎉
• 90e4976 Merge pull request #1834 from 55728/fix/1833-allow-token-introspection-custom...
• bc3d9e5 Merge pull request #1832 from 55728/experiment/1831-gate-ownership
• 155ce8c Fix allow_token_introspection default for custom application_class (#1833)
• 1c7ef35 Gate belongs_to :owner on enable_application_owner? at include time
• f278711 Release 5.9.2 🎉
• d83beb8 Merge pull request #1830 from 55728/refactor/1828-mixins-included-no-on-load
• ab58c37 Wire model concerns from Mixin included blocks, drop on_load(:active_record)
• 3666790 [ci skip] AGENTS.md update
• 7ae6104 [ci skip] AGENTS.md update
• Additional commits viewable in compare view

Updates doorkeeper-i18n from 5.2.8 to 5.2.9

Release notes

Sourced from doorkeeper-i18n's releases.

v5.2.9

• #73 Add colons to translations
• #74 Fix untranslated English fragment in Japanese locale

Commits

• See full diff in compare view

Updates doorkeeper-openid_connect from 1.9.0 to 1.10.1

Release notes

Sourced from doorkeeper-openid_connect's releases.

v1.10.1

• #294 Drop stale Metrics/ClassLength and Metrics/BlockLength overrides from .rubocop_todo.yml
• #293 Drop Naming/VariableNumber from .rubocop_todo.yml and normalise test variable names
• #291 Document multi-namespace mount pattern for multiple resource owner models (#192)
• #292 Drop formatting cops from .rubocop_todo.yml and align trailing-comma style with upstream doorkeeper
• #296 Fix the prompt parameter being rejected with invalid_request when it contains leading or duplicate spaces (e.g. prompt=%20none) — blank entries in the space-delimited value are now ignored
• #299 Raise InvalidConfiguration when the issuer config resolves to a blank value instead of silently advertising an empty issuer in the discovery document. Since v1.10.0 an arity-2 issuer block receives (resource_owner, application) — both nil in the discovery context — so a block relying on the old v1.9.0 request argument could return nil and produce a discovery issuer that mismatched the ID token iss (#298)

v1.10.0

• #241 Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see Doorkeeper PR)
• #242 Fix NoMethodError for openid_request in testing environments.
• #246 Fix at_hash to use correct hash algorithm based on signing_algorithm
• #250 Return configured issuer instead of root_url in WebFinger response (thanks to @​sato11 for the original work in #172)
• #248 Fix max_age always triggering reauthentication when auth_time_from_resource_owner returns Integer
• #254 Breaking: Omit expires_in from the response_type=id_token response (OIDC Core §3.2.2.5 — expires_in represents the Access Token lifetime; it is still returned for response_type=id_token token)
• #252 Treat auth_time_from_resource_owner as optional in IdToken — omit auth_time claim when unconfigured instead of raising InvalidConfiguration
• #256 Accept non-callable values (symbol / string) for the protocol config option, matching the pattern used by issuer / signing_algorithm / signing_key / expiration
• #258 Skip IdToken construction on password grants without the openid scope
• #259 Skip IdToken construction on authorization code grants without the openid scope
• #261 Fix obsolete RuboCop configuration (require: → plugins:, RSpec/FilePath split, remove Capybara/FeatureMethods)
• #263 Security/Breaking: Determine dynamically registered client's confidential flag from token_endpoint_auth_method per RFC 7591 — previously every dynamically registered client was created as public (confidential: false), which let callers authenticate with only client_id (by_uid_and_secret(uid, nil) bypass). Default is now client_secret_basic (confidential); none produces a public client; unsupported values (e.g. private_key_jwt) are rejected with invalid_client_metadata. Also derive token_endpoint_auth_methods_supported in the response from Doorkeeper.configuration.client_credentials_methods instead of a hardcoded list, matching #236
• #264 Apply safe RuboCop autocorrections and fix resulting artifacts
• #265 Add Dynamic Client Registration section to README
• #266 Validate application_type, response_types, and grant_types parameters in dynamic client registration per RFC 7591 — reject unsupported values with invalid_client_metadata and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration
• #267 Add authorize_dynamic_client_registration config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to request, params, request.headers, etc.) and falsy return values reject the request with 401 invalid_token. Default is nil so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration
• #268 Update Dynamic Client Registration README for validated metadata parameters
• #269 Document authorize_dynamic_client_registration in README
• #270 Document the unified issuer block signature in README
• #278 Test against Ruby 4.0.
• #271 Security: Add auth_time_from_session config for per-session max_age enforcement. The legacy auth_time_from_resource_owner cannot distinguish between concurrent sessions and is now deprecated for max_age use (see #150)
• #272 Document auth_time_from_session in README (follow-up to #271)
• #273 Security/Hardening: Merge framework-controlled registered claims last — iss/sub/aud/exp/iat/nonce/auth_time for the ID Token and sub for UserInfo — so a custom claim block can no longer override security-critical values. No legitimate configuration relied on this; custom claims that intentionally shadowed a registered claim name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).
• #276 Get RuboCop to zero offenses: fix Lint/MissingSuper in IdTokenResponse, replace puts with warn for deprecation notices, and modernise spec style
• #277 Fix README inaccuracies (signing_algorithm description and link, discovery_url_options endpoint list, oauth-authorization-server route) and use constant-time comparison in the DCR authorization example to prevent timing attacks on the Initial Access Token
• #279 Return account_selection_required when a prompt=select_account handler does not generate a response, per OIDC Core 1.0 §3.1.2.6 — previously the authorization silently continued without account selection. Adds the missing Errors::AccountSelectionRequired class, mirroring the existing login_required backstop for reauthenticate_resource_owner
• #275 Return login_required for max_age reauthentication when prompt=none, instead of triggering the interactive reauthenticate_resource_owner flow (OIDC Core §3.1.2.1)
• #284 Document acr / amr claims in README — show how to expose Authentication Context Class Reference and Authentication Methods References via the claim DSL, with callouts for the response: and scope: defaults that silently bite
• #288 Document offline_access scope recipe in README — show how to wire use_refresh_token with scope-based filtering for OIDC offline access
• #281 Fix NoMethodError / DoubleRenderError when resource_owner_authenticator redirects with a truthy non-model value (e.g. current_user || redirect_to(login_url)). Normalize the leaked value to nil when performed? and add missing if owner guard on select_account.
• #285 Document custom jwks_uri path pattern in README — show how to advertise a non-default path in the discovery document using Rails' direct URL helper
• #283 Support multiple signing keys in the JWKS response — signing_key now also accepts an array (and callables returning an array). The first entry is the active key used to sign new ID tokens; the remaining entries are published in the JWKS so clients can still validate tokens signed with a retired key during a rotation window. Single-value and callable forms continue to work unchanged
• #286 Allow claims to be assigned to multiple scopes via scope: [:profile, :all_data] — the claim is returned whenever the access token grants any of the listed scopes. Note: the previously implicit Claim#scope= writer (from attr_accessor :scope) is no longer provided; rebuild the claim instead of mutating it
• #287 Add apply_prompt_to_non_oidc_requests option to honor the prompt parameter on plain OAuth requests that do not include the openid scope
• #282 Allow prompt=none reauthorization with a narrower subset of previously-granted scopes (issue #63). Per RFC 6749 §1.5, narrower-or-equal scopes do not require fresh user consent; previously these requests returned consent_required.
• #290 Freeze Claim#scopes and Claim#response arrays at construction so callers can't accidentally mutate the claim's internal state from outside
• #297 Fix the generated initializer's issuer example referencing an undefined request local (the block parameter is _request), which raised NameError when copied verbatim

Changelog

Sourced from doorkeeper-openid_connect's changelog.

v1.10.1 (2026-06-03)

• #294 Drop stale Metrics/ClassLength and Metrics/BlockLength overrides from .rubocop_todo.yml
• #293 Drop Naming/VariableNumber from .rubocop_todo.yml and normalise test variable names
• #291 Document multi-namespace mount pattern for multiple resource owner models (#192)
• #292 Drop formatting cops from .rubocop_todo.yml and align trailing-comma style with upstream doorkeeper
• #296 Fix the prompt parameter being rejected with invalid_request when it contains leading or duplicate spaces (e.g. prompt=%20none) — blank entries in the space-delimited value are now ignored
• #299 Raise InvalidConfiguration when the issuer config resolves to a blank value instead of silently advertising an empty issuer in the discovery document. Since v1.10.0 an arity-2 issuer block receives (resource_owner, application) — both nil in the discovery context — so a block relying on the old v1.9.0 request argument could return nil and produce a discovery issuer that mismatched the ID token iss (#298)

v1.10.0 (2026-06-01)

[!IMPORTANT]

• Breaking (arity-2 issuer blocks): resolve_issuer now dispatches arity-2 blocks with (resource_owner, application) in all contexts, including discovery. In v1.9.0 DiscoveryController passed request as the first argument; existing arity-2 blocks that relied on this receive (nil, nil) in v1.10.0 and should migrate to arity-3 — see #298 for details and migration examples

• #241 Fix NameError on doorkeeper master by deferring AR model loading in run_hooks (see Doorkeeper PR)
• #242 Fix NoMethodError for openid_request in testing environments.
• #246 Fix at_hash to use correct hash algorithm based on signing_algorithm
• #250 Return configured issuer instead of root_url in WebFinger response (thanks to @​sato11 for the original work in #172)
• #248 Fix max_age always triggering reauthentication when auth_time_from_resource_owner returns Integer
• #254 Breaking: Omit expires_in from the response_type=id_token response (OIDC Core §3.2.2.5 — expires_in represents the Access Token lifetime; it is still returned for response_type=id_token token)
• #252 Treat auth_time_from_resource_owner as optional in IdToken — omit auth_time claim when unconfigured instead of raising InvalidConfiguration
• #256 Accept non-callable values (symbol / string) for the protocol config option, matching the pattern used by issuer / signing_algorithm / signing_key / expiration
• #258 Skip IdToken construction on password grants without the openid scope
• #259 Skip IdToken construction on authorization code grants without the openid scope
• #261 Fix obsolete RuboCop configuration (require: → plugins:, RSpec/FilePath split, remove Capybara/FeatureMethods)
• #263 Security/Breaking: Determine dynamically registered client's confidential flag from token_endpoint_auth_method per RFC 7591 — previously every dynamically registered client was created as public (confidential: false), which let callers authenticate with only client_id (by_uid_and_secret(uid, nil) bypass). Default is now client_secret_basic (confidential); none produces a public client; unsupported values (e.g. private_key_jwt) are rejected with invalid_client_metadata. Also derive token_endpoint_auth_methods_supported in the response from Doorkeeper.configuration.client_credentials_methods instead of a hardcoded list, matching #236
• #264 Apply safe RuboCop autocorrections and fix resulting artifacts
• #265 Add Dynamic Client Registration section to README
• #266 Validate application_type, response_types, and grant_types parameters in dynamic client registration per RFC 7591 — reject unsupported values with invalid_client_metadata and echo the requested values back in the registration response, instead of silently ignoring them and returning the server's global configuration
• #267 Add authorize_dynamic_client_registration config option to gate the dynamic client registration endpoint per RFC 7591 §3.1 — when set to a callable, the block is evaluated in the controller scope (with access to request, params, request.headers, etc.) and falsy return values reject the request with 401 invalid_token. Default is nil so the endpoint remains open for backward compatibility; consumers should configure this to validate an Initial Access Token (or any other authorization scheme) before allowing client registration
• #268 Update Dynamic Client Registration README for validated metadata parameters
• #269 Document authorize_dynamic_client_registration in README
• #270 Document the unified issuer block signature in README
• #278 Test against Ruby 4.0.
• #271 Security: Add auth_time_from_session config for per-session max_age enforcement. The legacy auth_time_from_resource_owner cannot distinguish between concurrent sessions and is now deprecated for max_age use (see #150)
• #272 Document auth_time_from_session in README (follow-up to #271)
• #273 Security/Hardening: Merge framework-controlled registered claims last — iss/sub/aud/exp/iat/nonce/auth_time for the ID Token and sub for UserInfo — so a custom claim block can no longer override security-critical values. No legitimate configuration relied on this; custom claims that intentionally shadowed a registered claim name will now be ignored for that key (OIDC Core §2 / §3.1.3.7 / §5.3.2).
• #276 Get RuboCop to zero offenses: fix Lint/MissingSuper in IdTokenResponse, replace puts with warn for deprecation notices, and modernise spec style
• #277 Fix README inaccuracies (signing_algorithm description and link, discovery_url_options endpoint list, oauth-authorization-server route) and use constant-time comparison in the DCR authorization example to prevent timing attacks on the Initial Access Token
• #279 Return account_selection_required when a prompt=select_account handler does not generate a response, per OIDC Core 1.0 §3.1.2.6 — previously the authorization silently continued without account selection. Adds the missing Errors::AccountSelectionRequired class, mirroring the existing login_required backstop for reauthenticate_resource_owner
• #275 Return login_required for max_age reauthentication when prompt=none, instead of triggering the interactive reauthenticate_resource_owner flow (OIDC Core §3.1.2.1)
• #284 Document acr / amr claims in README — show how to expose Authentication Context Class Reference and Authentication Methods References via the claim DSL, with callouts for the response: and scope: defaults that silently bite
• #288 Document offline_access scope recipe in README — show how to wire use_refresh_token with scope-based filtering for OIDC offline access
• #281 Fix NoMethodError / DoubleRenderError when resource_owner_authenticator redirects with a truthy non-model value (e.g. current_user || redirect_to(login_url)). Normalize the leaked value to nil when performed? and add missing if owner guard on select_account.
• #285 Document custom jwks_uri path pattern in README — show how to advertise a non-default path in the discovery document using Rails' direct URL helper
• #283 Support multiple signing keys in the JWKS response — signing_key now also accepts an array (and callables returning an array). The first entry is the active key used to sign new ID tokens; the remaining entries are published in the JWKS so clients can still validate tokens signed with a retired key during a rotation window. Single-value and callable forms continue to work unchanged
• #286 Allow claims to be assigned to multiple scopes via scope: [:profile, :all_data] — the claim is returned whenever the access token grants any of the listed scopes. Note: the previously implicit Claim#scope= writer (from attr_accessor :scope) is no longer provided; rebuild the claim instead of mutating it
• #287 Add apply_prompt_to_non_oidc_requests option to honor the prompt parameter on plain OAuth requests that do not include the openid scope
• #282 Allow prompt=none reauthorization with a narrower subset of previously-granted scopes (issue #63). Per RFC 6749 §1.5, narrower-or-equal scopes do not require fresh user consent; previously these requests returned consent_required.

... (truncated)

Commits

• 401e5fc Merge pull request #301 from 55728/release/v1.10.1
• 6ab1625 Release 1.10.1 🎉
• 5620cfe Merge pull request #299 from 55728/fix/issue-298-blank-issuer-guard
• fbf4f68 Merge pull request #296 from 55728/fix/prompt-leading-whitespace
• f8ca5af Merge pull request #300 from 55728/docs/changelog-v1.10.0-arity-2-breaking-note
• 7ce7473 Add breaking-change note for arity-2 issuer blocks to v1.10.0 CHANGELOG
• 4d4e791 Raise on blank issuer in resolve_issuer (#298)
• aed9af5 Merge pull request #292 from 55728/chore/rubocop-todo-phase1-formatting
• 2c7b814 Reformat cramped multiline closers to avoid ,) and ,]
• 63dcfa6 Set hash/argument indentation to consistent style
• Additional commits viewable in compare view

Updates faraday from 2.14.2 to 2.14.3

Release notes

Sourced from faraday's releases.

v2.14.3

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible. A Security Advisory with more details will be posted shortly.

What's Changed

• Upgrade CI lint step from Ruby 3 to 4 by @​larouxn in lostisland/faraday#1673
• feat(test): add Stubs#clear to remove all stubs by @​SAY-5 in lostisland/faraday#1675

New Contributors

• @​SAY-5 made their first contribution in lostisland/faraday#1675

Full Changelog: lostisland/faraday@v2.14.2...v2.14.3

Commits

• f1ace87 Version bump to 2.14.3
• 36764bf Merge commit from fork
• 59334e0 feat(test): add Stubs#clear to remove all stubs (#1675)
• 469f25c Upgrade CI lint step from Ruby 3 to 4 (#1673)
• See full diff in compare view

Updates dalli from 5.0.2 to 5.0.5

Changelog

Sourced from dalli's changelog.

5.0.5

Performance:

• Batch multi-...

  Description has been truncated