Skip to content

Bump devise to 5.0, widen omniauth_openid_connect support#2

Merged
Fivell merged 7 commits into
mainfrom
add-routes-reloader-to-engine
May 27, 2026
Merged

Bump devise to 5.0, widen omniauth_openid_connect support#2
Fivell merged 7 commits into
mainfrom
add-routes-reloader-to-engine

Conversation

@Fivell
Copy link
Copy Markdown
Member

@Fivell Fivell commented May 27, 2026
edited
Loading

Summary

Bump devise floor to >= 5.0 and widen omniauth_openid_connect support to >= 0.6 so host apps on either the faraday-1 (0.6.x) or faraday-2 (0.7.x / 0.8.x) line can install the gem.

CI matrix now exercises all three omniauth_openid_connect lines across Ruby 3.2–3.4 and Rails 7.2 / 8.0.

Background — why no Rails 8 route-loader workaround in the engine

Originally this branch added an engine-side after_initialize hook to force Rails 8 route loading so OmniAuth's failure handler wouldn't hit an empty Devise.mappings. On investigation, Devise 5.0 already handles this upstream (heartcombo/devise#5728) — its Devise.mappings getter wraps Rails.application.try(:reload_routes_unless_loaded), which is functionally identical to our workaround. So instead of carrying a duplicate, this PR bumps the devise floor to the version that has the fix.

Changes

  • gemspec
    • devise >= 5.0 (was >= 4.9) with a comment pointing to the Devise PR.
    • omniauth_openid_connect >= 0.6 (was >= 0.7) — keeps faraday-1 host apps supported.
  • CIomniauth_openid_connect axis added: ['0.6.0', '0.7.0', '0.8.0'].
  • Gemfile — honours an OOIDC env var so CI can pin per matrix cell.
  • No code added to lib/.

Compatibility

  • Breaking change for host apps still on Devise 4.9.x. They either upgrade Devise to 5.0+ or pin activeadmin-oidc to the previous version.
  • No breaking change for omniauth_openid_connect consumers — floor was lowered, not raised.

Test plan

  • CI green across the full matrix (Ruby × Rails × OOIDC).
  • Smoke-test the OIDC login flow on a host app running Rails 8 + Devise 5.0+.

Fivell added 7 commits May 27, 2026 09:12
@Fivell
Relax omniauth_openid_connect floor to 0.6 for faraday-1 host apps
3571a8c 
omniauth_openid_connect 0.7+ pulls in openid_connect 2.x which requires
faraday ~> 2.0. Host apps still on faraday 1.x (large legacy Gemfiles
with pinned transitives like azure-storage-common, faraday_middleware,
pipedrive forks) cannot adopt the gem at all.

omniauth_openid_connect 0.6.x pairs with openid_connect 1.x, which uses
httpclient internally and has no faraday dependency. activeadmin-oidc
itself only touches the standard OmniAuth strategy registration API
(devise.omniauth :openid_connect, ...) — identical across both lines —
so the floor can safely move down to 0.6 with no runtime changes.
@Fivell
Force route load after_initialize so OmniAuth failure handler sees De…
61150c9 
…vise mappings

OmniAuth.config.on_failure walks Devise.mappings.find_by_path! to
resolve the resource scope from the request path. On Rails 8 routes
load lazily — first OmniAuth callback can fire before devise_for runs,
which leaves Devise.mappings empty and raises 'Could not find a valid
mapping for path /admin/auth/oidc' that masks the real underlying error
(CSRF check, bad id_token signature, etc).

Move the workaround into the engine so every host app gets it for free
instead of every consumer copy-pasting Rails.application.routes_reloader.
execute_unless_loaded into their activeadmin-oidc initializer.
@Fivell
Guard execute_unless_loaded for Rails 7.x and add regression spec
23d17cc 
execute_unless_loaded is a Rails 8 API; on Rails 7.x the engine
crashed at boot. Guarded with respond_to? — Rails 7.x loads routes
eagerly so the hook is a no-op there. Added a high-level spec that
simulates the empty-Devise.mappings state and verifies the fix.
@Fivell
Replace internal-state spec with Rails 8 Capybara feature spec
34e2bf1 
The previous spec poked at routes_reloader and Devise.mappings internals to demonstrate the fix. Replaced with a feature-level Capybara spec that exercises the OIDC failure flow end-to-end on Rails 8 only (skipped on 7.x where the bug doesnt manifest). Adds capybara as a dev dependency.
@Fivell
Add omniauth_openid_connect axis (0.6 and 0.7) to CI matrix
e64b7c5 
0.6.x uses openid_connect 1.x (httpclient, no faraday dep) so host apps still on faraday 1.x can stay on this line. 0.7.x uses openid_connect 2.x (faraday 2.x). Both must keep working since the gemspec floor is >= 0.6.

OOIDC env var overrides the omniauth_openid_connect version in the Gemfile; CI exercises both lines across the Ruby/Rails/AA matrix.
@Fivell
Include 0.8.0 in omniauth_openid_connect matrix
85b3df3
@Fivell
Bump devise floor to 5.0 and drop Rails 8 route-loading workaround
81e4443 
Devise 5.0 wraps Devise.mappings with reload_routes_unless_loaded (heartcombo/devise#5728) so OmniAuth's failure handler resolves the scope correctly under Rails 8 lazy route loading without engine-side workarounds.

Removes: engine after_initialize hook, capybara dev dep, the Rails 8 sanity spec that existed only to cover the bug Devise now handles upstream.
@Fivell Fivell merged commit c6be07d into main May 27, 2026
18 checks passed
@Fivell Fivell deleted the add-routes-reloader-to-engine branch May 27, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Fivell