Upgrade doorkeeper and doorkeeper-openid_connect gems
What does this MR do and why?
This merge request updates doorkeeper and doorkeeper-openid_connect for a number of reasons:
- It is needed to fix an issue with caching: https://gitlab.com/gitlab-org/gitlab/-/issues/383288
- Ruby 3.1 requires a fix in
doorkeeperv5.6.3: https://github.com/doorkeeper-gem/doorkeeper/commit/5f044f6532859824fac9f1a420ed397becf6a412 -
doorkeeper-openid_connectneeds to be upgraded withdoorkeeperbecause of https://github.com/doorkeeper-gem/doorkeeper-openid_connect/issues/184, which is fixed via https://github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/185.
This upgrade attempted in !116142 (merged), but reverted later. We had a production incident in gitlab-com/gl-infra/production#8664 (closed) when !116142 (merged) updated doorkeeper-openid_connect from v1.8.3 to v1.8.5.
In v1.8.4, https://github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/177 swapped json-jwt in favor of ruby-jwt.
The OpenID kid is an opaque value that is supposed to identify public keys. However, json-jwt and ruby-jwt implement the kid slightly differently: the former generates a thumbprint as described in RFC7638 (https://www.rfc-editor.org/rfc/rfc7638), while the latter generates a SHA256 digest based on the key itself.
We could preserve the previous behavior by setting JWT.configuration.jwk.kid_generator_type to :rfc7638_thumbprint. However, this would be a global setting that might affect other users of the jwt gem.
For now, just patch doorkeeper-openid_connect to pull in https://github.com/doorkeeper-gem/doorkeeper-openid_connect/pull/194 to use a RFC7638 thumbprint.
Relates to #406649 (closed)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.