Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): bump openidconnect from 2.4.0 to 2.5.0 #358

Merged
merged 1 commit into from
Jan 16, 2023
Merged

build(deps): bump openidconnect from 2.4.0 to 2.5.0 #358

merged 1 commit into from
Jan 16, 2023

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 13, 2023

Bumps openidconnect from 2.4.0 to 2.5.0.

Release notes

Sourced from openidconnect's releases.

2.5.0

New Features

  • Ignore unrecognized signature algorithms, encryption algorithms, and public keys when parsing provider metadata and JWK sets (#99).

    Previously, this crate would return a deserialization error if it encountered any unrecognized signature/encryption algorithms or public keys in the ProviderMetadata and JsonWebKeySet. This release changes the behavior to instead ignore these unexpected values, with the aim of improving compatibility with OIDC providers that support other algorithms but don't necessarily use them to sign JWTs. The OIDC spec allows for new algorithms and key types to be used, so these OIDC providers are fully compliant with the spec.

  • Propagate signature algorithms from OIDC discovery to token verifier (#87). Previously, these had to be configured manually when instantiating the token verifier.

Bug Fixes

  • Use serde_plain instead of the oauth2 crate's variant_name helper to convert algorithm names and other values to strings. This should ensure compatibility with arbitrary Serialize implementations for these types.

Other Changes

  • Replace constant time from ring with subtle in preparation for removing ring entirely in 3.0 (#89).
Commits
  • 0db8ad1 Skip unrecognized algorithms and keys in provider metadata
  • 424b44f Use serde_plain instead of variant_name to stringify enums
  • 47e0c41 Run CI on push/PR for all branches
  • 2038ea4 Pin GitHub runner image to Ubuntu 20.04 for 1.45 build
  • a52ef56 Propagate signature algorithms from OIDC discovery to token verifier (#87)
  • f0c2040 Replace constant time from ring with subtle (#89)
  • 32603ad Bump version to 2.4.1
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump openidconnect from 2.4.0 to 2.5.0
32b3718 
Bumps [openidconnect](https://github.com/ramosbugs/openidconnect-rs) from 2.4.0 to 2.5.0.
- [Release notes](https://github.com/ramosbugs/openidconnect-rs/releases)
- [Commits](ramosbugs/openidconnect-rs@2.4.0...2.5.0)

---
updated-dependencies:
- dependency-name: openidconnect
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested review from a team, bstrie and haraldh as code owners January 13, 2023 19:12
@dependabot dependabot bot added dependencies rust Pull requests that update Rust code labels Jan 13, 2023
@rjzak rjzak merged commit cb75248 into main Jan 16, 2023
@rjzak rjzak deleted the dependabot/cargo/openidconnect-2.5.0 branch January 16, 2023 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

@rjzak rjzak rjzak approved these changes

@bstrie bstrie Awaiting requested review from bstrie

@haraldh haraldh Awaiting requested review from haraldh

Assignees
No one assigned
Labels
dependencies rust Pull requests that update Rust code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rjzak