Skip to content

Sync fork with upstream auth0/omniauth-auth0 v3.2.0#4

Merged
pontiphex merged 32 commits into
masterfrom
chore/sync-upstream-v3.2.0
May 28, 2026
Merged

Sync fork with upstream auth0/omniauth-auth0 v3.2.0#4
pontiphex merged 32 commits into
masterfrom
chore/sync-upstream-v3.2.0

Conversation

@pontiphex
Copy link
Copy Markdown
Collaborator

@pontiphex pontiphex commented May 28, 2026

Summary

Brings our fork up to date with upstream auth0/omniauth-auth0 v3.2.0. The fork had drifted ~31 commits behind (it was sitting on a v3.1.1-era base plus our one customization). This merges upstream master while preserving our only real change: forwarding ext- prefixed query params to /authorize.

Why now

We want a feature from upstream v3.2.0:

Also pulled in: dependency bumps (faraday, rack, rexml), the new RL/release CI workflows, README/CHANGELOG updates, and the JWTToken helper.

Our customization, preserved

  • lib/omniauth/strategies/auth0.rb: authorize_params still forwards any ext-prefixed param (Auth0's custom query parameter convention) via the is_authorized_param? helper, now sitting alongside upstream's new client-assertion private methods.

Conflict resolution notes

  • Strategy file: kept both our is_authorized_param? helper and upstream's new client_assertion_* methods.
  • Spec file: upstream refactored the redirect tests into the shared example group oauth redirects with various parameters, run under two auth contexts (client_secret and client-assertion). I folded our ext- assertions + the ext-test=testval example into that shared group, so our customization is now exercised under both contexts (better coverage than the original single-context tests).
  • Gemfile.lock: took upstream's resolution; our stale dependabot bump is superseded. Lockfile is now byte-identical to upstream.

The net diff vs upstream master is exactly the ext- customization (lib + spec), nothing else.

Test plan

  • bundle exec rspec128 examples, 0 failures (99.36% line coverage)
  • Strategy spec specifically — 68 examples, 0 failures; ext-test cases pass under both auth contexts
  • ruby -c syntax check on resolved files
  • After merge, repoint the Jobber monolith's omniauth-auth0 git dependency at the new master (or this merge SHA) and run the app's auth specs

Follow-up (separate, not this PR)

Upstream issue auth0#214 requests this exact ext- feature and references the previously-withdrawn auth0#204. Worth reviving as a clean, configurable upstream PR so we can eventually drop the fork — tracked separately.

🤖 Generated with Claude Code

stevenwong-okta and others added 30 commits July 25, 2024 22:29
@stevenwong-okta
Update codeowner file with new GitHub team name
4b8302b
@arpit-jn
Update codeowner file with new GitHub team name (auth0#196)
0cd8eb5
@arpit-jn
Changed pull_request_target to pull_request
8e2c478
@arpit-jn
Changed pull_request_target to pull_request (auth0#197)
313e3b5
@kishore7snehil
Adding Reversing Lab Scanner (auth0#198)
2e2e248
@eduardoboronat-okta
chore(ci): Remove Semgrep GHA Workflow
e218e0c
@arpit-jn
chore(ci): Remove Semgrep GHA Workflow (auth0#205)
be3a5ff
@arpit-jn
chore: Bump rexml from 3.2.5 to 3.4.4
42cf1ad
@arpit-jn
chore: Bump rexml from 3.2.5 to 3.3.9
0c7cfec
@arpit-jn
chore: Bump rexml from 3.2.5 to 3.3.9 (auth0#206)
94cb259
@arpit-jn
docs: Add Ask DeepWiki badge
2e1a046
@arpit-jn
docs: Add Ask DeepWiki badge to README (auth0#211)
9410989
@dependabot
Bump faraday from 2.7.10 to 2.14.1
c359e6f 
Bumps [faraday](https://github.com/lostisland/faraday) from 2.7.10 to 2.14.1.
- [Release notes](https://github.com/lostisland/faraday/releases)
- [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md)
- [Commits](lostisland/faraday@v2.7.10...v2.14.1)

---
updated-dependencies:
- dependency-name: faraday
  dependency-version: 2.14.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump rack from 2.2.7 to 2.2.23
1facf5a 
Bumps [rack](https://github.com/rack/rack) from 2.2.7 to 2.2.23.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v2.2.7...v2.2.23)

---
updated-dependencies:
- dependency-name: rack
  dependency-version: 2.2.23
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@kaczowkad
Add support for client assertion signing key authentication while con…
2b5d9ec 
…tinuing to support client secret authentication.

The client assertion signing key allows Private Key JWT application authentication in Auth0.  The client_assertion_signing_key and client_assertion_signing_algorithm are optional parameters.
Client assercition signing key will be used if a client_assertion_signing_key is privided. The client_assertion_signing_algorithm is optional. The algorithm defaults to RS256 if nil or not
provided.
@arpit-jn
Add support for client assertion signing key authentication (auth0#203)
3ebfb41
@arpit-jn
Merge branch 'master' into dependabot/bundler/rack-2.2.23
85e38c1
@arpit-jn
Bump rack from 2.2.7 to 2.2.23 (auth0#217)
a1e6517
@arpit-jn
Merge branch 'master' into dependabot/bundler/faraday-2.14.1
274ac6a
@arpit-jn
Bump faraday from 2.7.10 to 2.14.1 (auth0#215)
00aa8d0
@arpit-jn
Release v3.2.0
8237cdf
@arpit-jn
ci: Use bundle update to avoid RubyGems CDN inconsistency with lockfi…
f484dbc 
…le-pinned versions
@arpit-jn
fix: Add missing require cgi for Ruby 3.0 compatibility in tests
afb8214
@arpit-jn
fix: Bump simplecov-cobertura to ~> 3.0 to fix rexml 3.4.4 compatibil…
aeac2d5 
…ity crash in CI
@arpit-jn
docs: Remove phantom v3.2.0 changelog entry that was never published …
25279e3 
…and consolidate into v3.1.1
@arpit-jn
docs: Update release date to today and rename Security section to Dep…
4eb8a37 
…endency Bumps
@arpit-jn
Release v3.2.0 (auth0#219)
6debea0
@arpit-jn
fix: Align release workflow with ruby-auth0 to fix broken publish pip…
db0f717 
…eline
@arpit-jn
fix: Broken release workflow (auth0#221)
e5e4907
@arpit-jn
fix: Add v prefix to .version to match release branch naming convention
65a7f84
arpit-jn and others added 2 commits May 28, 2026 19:53
@arpit-jn
fix: Add v prefix to .version to match release branch naming conventi…
79af6b2 
…on (auth0#222)
@pontiphex @claude
Merge upstream auth0/omniauth-auth0 master (v3.2.0) into fork
4e22b6e 
Brings the fork up to date with upstream v3.2.0, which adds client
assertion signing key authentication (auth0#203) plus dependency and CI/release
workflow updates. The fork's only customization -- forwarding `ext-`
prefixed query params to /authorize -- is preserved.

Conflicts resolved:
- lib/omniauth/strategies/auth0.rb: kept the `ext-` passthrough in
  authorize_params and the is_authorized_param? helper alongside upstream's
  new client-assertion private methods.
- spec/omniauth/strategies/auth0_spec.rb: upstream refactored the redirect
  tests into the shared example group 'oauth redirects with various
  parameters' run under two auth contexts. Folded the ext- assertions and
  the ext-test=testval example into that shared group so they now run under
  both client_secret and client-assertion auth.
- Gemfile.lock: took upstream's resolution (fork's stale dependabot bump
  superseded).

Full suite: 128 examples, 0 failures.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@jobbiebot jobbiebot Bot added the approved label May 28, 2026
@pontiphex pontiphex mentioned this pull request May 28, 2026
Open
3 tasks
@pontiphex pontiphex merged commit ff6acdd into master May 28, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeffreyolio jeffreyolio jeffreyolio approved these changes

Assignees

No one assigned

Labels

approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@pontiphex @jeffreyolio @stevenwong-okta @arpit-jn @kishore7snehil @eduardoboronat-okta @kaczowkad