Update oauth2 gem to v2.0.3
What does this MR do and why?
Bump the version to keep up with the latest security fixes, but we also need this update for FIPS compliance, as this version drops the use of MD5 from nonce generation.
Almost all the changes are backwards compatible, but there is a change
in v1.4.9 (https://github.com/oauth-xx/oauth2/pull/469) that breaks
the omniauth-gitlab integration. This will be worked around in
!90866 (merged).
The oauth2 gem normalized all parameters to strings in https://github.com/oauth-xx/oauth2/pull/536. Update the test to reflect that.
Parse errors are also no longer rescued due to
https://github.com/oauth-xx/oauth2/pull/576. Previously stubbing an
Array would work because the original body would be returned. To
accomodate this in our tests, call to_json on the stubbed output.
We can't remove the monkey patch mentioned in
#340933 yet because we
need to make omniauth-oauth2 rescue OAuth2 exceptions that have now
been subclassed from Faraday exceptions.
The existing patch is compatible because:
-
https://github.com/oauth-xx/oauth2/pull/549 added handling of
Faraday::ConnectionFailedby raisingOAuth2::ConnectionError, but the latter is just a subclass of the former. -
https://github.com/oauth-xx/oauth2/pull/604 added handling of
Faraday::TimeoutErrorby raisingOAuth2::TimeoutError, but again the latter is just a subclass of the former.
- Diff: https://my.diffend.io/gems/oauth2/1.4.7/2.0.3
- Changes: https://github.com/oauth-xx/oauth2/blob/master/CHANGELOG.md
Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/361284
How to set up and validate locally
Set up any OAuth2 provider (e.g. https://docs.gitlab.com/ee/administration/auth/oidc.html) and link an account.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.