build(deps): bump openidconnect from 3.5.0 to 4.0.1

[dependabot]

Bumps openidconnect from 3.5.0 to 4.0.1.

Release notes

Sourced from openidconnect's releases.

4.0.1

Bug Fixes

• Fix hashing for algorithms utilizing SHA512 (#209)

Full Changelog: ramosbugs/openidconnect-rs@4.0.0...4.0.1

4.0.0

Refer to the Upgrade Guide for tips on how to upgrade from 3.x.

Changes since 4.0.0-rc.1

Bug Fixes

• Use #[skip_serializing_none] (025889ebbf2161adfd76614570283af787026e2f)
• Overhaul deserialization of claims and client metadata (5632960ea94ceda3a17c818d45c26648cc6bee8b)

Other Changes

• Bump oauth2 to 5.0.0 (dbb3f5c4c24a0ca893bdd7d6b49ab71790304f82)

Full Changelog: ramosbugs/openidconnect-rs@4.0.0-rc.1...4.0.0

Summary of changes since 3.5.0

Breaking Changes

• Bump oauth2 to 5.0.0-alpha.4 (19043b103b74f38137d2c0b563eadd4165d2f827)
• Fix EdDSA signature verification (1d97e0e1fcbab6dbcea60abb5f33c895c8499848)
• Replace JWT-related generic traits with associated types (5f039ee4c7233147199febe98e8dadd35491c523)
• Bump oauth2 to 5.0.0-alpha.3 along with http, reqwest, and base64 (7efc8943a8f699aff2db742827fc3d0fc2b3f34d)
• Remove unused nightly feature (c67ffe94af24b65dbb596a68b6623baecf080eb8)
• Update oauth2 to 5.0.0-alpha.2 (fd404985ef6c8e546f951191f4e1bc791615f5ca)
• Remove jwk-alg Cargo feature (73ee82f4243ef6e0e52896b97081c9b7b7226fa4)

New Features

• Add support for specific JOSE header types (#161)
• Implement From<> for unwrapping newtypes
• Derive Eq for types that already derive PartialEq (898ead2e849f9fd7b3afc506d0763d3c9000a6f7)

Bug Fixes

• Use #[skip_serializing_none] (025889ebbf2161adfd76614570283af787026e2f)
• Overhaul deserialization of claims and client metadata (5632960ea94ceda3a17c818d45c26648cc6bee8b)
• Export CoreJsonCurveType (#182)
• Return impl Future instead of Pin<Box<dyn Future>> (#158)
• Propagate timing-resistant-secret-traits feature flag to oauth2 (1c9f77071dd29d8039e65cfeac4345584fdad56b)
• Fix doc comment URL (1131afa2c5a9702c36ddfb400d24d2e241a02ef2)

Other Changes

• Bump oauth2 to 5.0.0 (dbb3f5c4c24a0ca893bdd7d6b49ab71790304f82)
• Remove defunct sponsorship from README
• Add upgrade guide (6852dcc8fbfc4cbf814b0eea48050d406069698c)
• Address clippy lints from Rust 1.77 (29aad1cfccb32397f02cb889b115cb949c68db6a)

... (truncated)

Upgrade guide

Sourced from openidconnect's upgrade guide.

Upgrade Guide

Upgrading from 3.x to 4.x

The 4.0 release includes breaking changes to address several long-standing API issues, along with a few minor improvements. Consider following the tips below to help ensure a smooth upgrade process. This document is not exhaustive but covers the breaking changes most likely to affect typical uses of this crate.

Add typestate generic types to Client

Each auth flow depends on one or more server endpoints. For example, the authorization code flow depends on both an authorization endpoint and a token endpoint, while the client credentials flow only depends on a token endpoint. Previously, it was possible to instantiate a Client without a token endpoint and then attempt to use an auth flow that required a token endpoint, leading to errors at runtime. Also, the authorization endpoint was always required, even for auth flows that do not use it.

In the 4.0 release, all endpoints are optional. Typestates are used to statically track, at compile time, which endpoints' setters (e.g., set_auth_uri()) have been called. Auth flows that depend on an endpoint cannot be used without first calling the corresponding setter, which is enforced by the compiler's type checker. This guarantees that certain errors will not arise at runtime.

When using OpenID Connect Discovery (i.e., Client::from_provider_metadata()), each discoverable endpoint is set to a conditional typestate (EndpointMaybeSet). This is because it cannot be determined at compile time whether each of these endpoints will be returned by the OpenID Provider. When the conditional typestate is set, endpoints can be used via fallible methods that return Err(ConfigurationError::MissingUrl(_)) if an endpoint has not been set.

There are three possible typestates, each implementing the EndpointState trait:

• EndpointNotSet: the corresponding endpoint has not been set and cannot be used.
• EndpointSet: the corresponding endpoint has been set and is ready to be used.
• EndpointMaybeSet: the corresponding endpoint may have been set and can be used via fallible methods that return Result<_, ConfigurationError>.

The following code changes are required to support the new interface:

1. Update calls to Client::new() to use the three-argument constructor (which accepts only a ClientId, IssuerUrl, and JsonWebKeySet). Use the set_auth_uri(), set_token_uri(), set_user_info_url(), and set_client_secret() methods to set the authorization endpoint, token endpoint, user info endpoint, and client secret, respectively, if applicable to your application's auth flows.
2. If using Client::from_provider_metadata(), update call sites that use each auth flow (e.g., Client::exchange_code()) to handle the possibility of a ConfigurationError if the corresponding endpoint was not specified in the provider metadata.
3. If required by your usage of the Client or CoreClient types (i.e., if you see related compiler errors), add the following generic parameters:

... (truncated)

Commits

• b639b5d Bump version to 4.0.1
• 82aa8a8 Fix hashing of e.g. access tokens for algorithms utilizing SHA512 (#209)
• 03b7157 Bump Tarpaulin to 0.32.0 for CI coverage job
• fb5b3e2 Bump version to 4.0.0
• dbb3f5c Bump oauth2 to 5.0.0
• 5632960 Overhaul deserialization of claims and client metadata
• 025889e Use #[skip_serializing_none]
• 77363f3 Bump oauth2 to 5.0.0-rc.1
• 819409a Bump version to 4.0.0-rc.1
• 052f4a7 Remove sponsorship from README
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

This pull request has merge conflicts that must be resolved before it can be merged.