diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8c7a525..48e5177 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ permissions:
 
 jobs:
   test:
-    name: Ruby ${{ matrix.ruby }} / Rails ${{ matrix.rails }} / AA ${{ matrix.activeadmin }}
+    name: Ruby ${{ matrix.ruby }} / Rails ${{ matrix.rails }} / AA ${{ matrix.activeadmin }} / OOIDC ${{ matrix.omniauth_openid_connect }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -17,12 +17,16 @@ jobs:
         ruby: ['3.2', '3.3', '3.4']
         rails: ['7.2.0', '8.0.0']
         activeadmin: ['3.5.0']
+        # 0.6.x → openid_connect 1.x (httpclient, no faraday dep).
+        # 0.7.x / 0.8.x → openid_connect 2.x (faraday 2.x).
+        omniauth_openid_connect: ['0.6.0', '0.7.0', '0.8.0']
         # AA 3.4.0 is excluded: it pins devise < 5, which is
         # incompatible with the devise >= 4.9 floor this gem needs.
         # Support starts at ActiveAdmin 3.5, which lifted that cap.
     env:
       RAILS: ${{ matrix.rails }}
       AA: ${{ matrix.activeadmin }}
+      OOIDC: ${{ matrix.omniauth_openid_connect }}
     steps:
       - uses: actions/checkout@v4
       - uses: ruby/setup-ruby@v1
diff --git a/Gemfile b/Gemfile
index 9d727e5..34184fc 100644
--- a/Gemfile
+++ b/Gemfile
@@ -9,7 +9,11 @@ default_activeadmin_version = "3.5.0"
 
 rails_version       = ENV.fetch("RAILS", default_rails_version)
 activeadmin_version = ENV.fetch("AA",    default_activeadmin_version)
+# 0.6.x uses openid_connect 1.x (httpclient, no faraday) — required for
+# host apps still on faraday 1.x. 0.7.x uses openid_connect 2.x (faraday 2.x).
+ooidc_version       = ENV["OOIDC"]
 
 gem "rails",        "~> #{rails_version}"
 gem "activerecord", "~> #{rails_version}"
 gem "activeadmin",  "~> #{activeadmin_version}"
+gem "omniauth_openid_connect", "~> #{ooidc_version}" if ooidc_version
diff --git a/activeadmin-oidc.gemspec b/activeadmin-oidc.gemspec
index d9027b4..4326fe5 100644
--- a/activeadmin-oidc.gemspec
+++ b/activeadmin-oidc.gemspec
@@ -28,10 +28,17 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "activeadmin",            ">= 3.5", "< 4"
-  spec.add_dependency "devise",                 ">= 4.9"
+  # Devise 5.0 wraps `Devise.mappings` with `reload_routes_unless_loaded`
+  # (heartcombo/devise#5728) so OmniAuth's failure handler works under
+  # Rails 8 lazy route loading without an engine-side workaround.
+  spec.add_dependency "devise",                 ">= 5.0"
   spec.add_dependency "omniauth",               ">= 2.1"
   spec.add_dependency "omniauth-rails_csrf_protection", ">= 1.0"
-  spec.add_dependency "omniauth_openid_connect", ">= 0.7"
+  # 0.6.x → openid_connect 1.x (httpclient-based, no faraday dep).
+  # 0.7.x+ → openid_connect 2.x (faraday 2.x). Host apps still on faraday 1.x
+  # need 0.6.x. activeadmin-oidc only uses the standard OmniAuth strategy
+  # registration API, which is identical across both lines.
+  spec.add_dependency "omniauth_openid_connect", ">= 0.6"
   spec.add_dependency "rails",                  ">= 7.2"
 
   spec.add_development_dependency "rspec-rails",  ">= 6.0"