Omniauth Oauth2 Versions Save

This release contains the relaxation of the oauth2 gem requirement, without the stricter omniauth requirement that 1.8.0 introduces.

v1.8.0

• Relaxes allowed versions of the oauth2 gem. #146
• Requires omniauth ~> 2.0 #152

This release patches a vulnerability reported to GitLab, where a malicious actor could craft a callback URL that displayed an arbitrary message to users without checking that the callback state matched omniauth's session state.

Thank you to the folks at GitLab for upstreaming this fix.

With the release of OmniAuth v2.0.0, this relaxes the OmniAuth requirement this library has.

v1.7.0 adds the option to specify that your strategy should utilize PKCE.

Simply add the pkce option to your strategy and set it to true:

option :pkce, true

By default, this uses the recommended code_challenge_method of "S256", but in the event that you want to use basic, or some other future code challenge method, you can specify them in your strategy as well:

option :pkce_options, {
  :code_challenge => proc { |verifier| verifier },
  :code_challenge_method => "basic",
}

Note that the code_challenge must be supplied in the form of something that responds to call.

• Fixes CVE-2015-1820 from rest-client
• Updates minimum Omniauth dependency to 1.9.0 for additional security updates
• Fixes Rubocop offenses
• Updates supported Ruby versions
• Updates CI versions
• Updates RubyGems source from http to https