Add browser dashboard to spec/dummy for exercising OIDC endpoints

Replace the DummyController root redirect with a single-page dashboard that
drives every OpenID Connect endpoint from the browser, removing the need for
rails console + curl when trying the gem out by hand.

- Setup: create users and OAuth applications via plain Rails forms (CSRF
  tokens are auto-attached, so it works in development without RAILS_ENV=test)
- Discovery: openid-configuration, JWKS and WebFinger
- Authorization: code / implicit / form_post with nonce, PKCE, prompt and
  max_age; the callback hands the code/token back to the dashboard
- Token exchange, UserInfo, Introspection and Revocation via fetch()
- ID Token header/payload decoded client-side with labelled claims

skip_authorization is enabled only in development so a GET to /oauth/authorize
redirects straight back with a code; the test environment is unchanged
(controller specs stub skip_authorization? themselves). Adds a minimal
development environment file. No new tests (dummy UI only).

Author: 55728

CHANGELOG.md

@@ -4,6 +4,7 @@
 - [#304] allow handle auth_time per grant
 - [#305] Document the `auth_time_from_access_token` config option in the README (per-grant `auth_time`), clarifying that it only affects the ID Token `auth_time` claim and not `max_age` enforcement
 - [#307] Fix `bundle exec rake server` for the test application
+- [#309] Add a browser dashboard to the test application (`spec/dummy`) for exercising the OpenID Connect endpoints by hand — replacing the rails console + curl workflow with forms for Setup, Discovery, Authorization (code / implicit / PKCE / nonce / prompt / `max_age`), token exchange, UserInfo, introspection and revocation
 
 ## v1.10.1 (2026-06-03)
 

spec/dummy/app/controllers/dummy_controller.rb

@@ -1,7 +1,30 @@
 # frozen_string_literal: true
 
 class DummyController < ApplicationController
+  skip_before_action :verify_authenticity_token, only: :callback
+
   def index
-    redirect_to "/.well-known/openid-configuration", status: :found
+    @users = User.order(:id)
+    @applications = Doorkeeper::Application.order(:id)
+  end
+
+  def create_user
+    User.create!(name: params[:name], password: params[:password])
+    redirect_to root_path, notice: "User #{params[:name]} created"
+  end
+
+  def create_application
+    Doorkeeper::Application.create!(
+      name: params[:name],
+      redirect_uri: params[:redirect_uri].presence || "http://localhost:3000/callback",
+      scopes: params[:scopes].presence || "openid",
+    )
+    redirect_to root_path, notice: "Application created"
+  end
+
+  def callback
+    @params = request.query_parameters
+                     .merge(request.request_parameters)
+                     .except("controller", "action")
   end
 end

spec/dummy/app/views/dummy/callback.html.erb

@@ -0,0 +1,12 @@
+<h1>Returning to the dashboard…</h1>
+<p class="muted">Capturing the authorization response and handing it back to the dashboard.</p>
+<noscript><p>JavaScript is required. <a href="/">Back to dashboard</a>.</p></noscript>
+
+<script>
+  var data = <%= raw json_escape(@params.to_json) %>;
+  if (location.hash.length > 1) {
+    new URLSearchParams(location.hash.slice(1)).forEach(function (v, k) { data[k] = v; });
+  }
+  sessionStorage.setItem('oidc_cb', JSON.stringify(data));
+  location.replace('/');
+</script>