StandardRB fixes

app/services/concerns/claims_merger.rb

@@ -13,20 +13,20 @@ module ClaimsMerger
     result = base.dup
 
     incoming.each do |key, value|
-      if result.key?(key)
+      result[key] = if result.key?(key)
         # If both values are arrays, combine them (union to avoid duplicates)
         if result[key].is_a?(Array) && value.is_a?(Array)
-          result[key] = (result[key] + value).uniq
+          (result[key] + value).uniq
         # If both values are hashes, recursively merge them
         elsif result[key].is_a?(Hash) && value.is_a?(Hash)
-          result[key] = deep_merge_claims(result[key], value)
+          deep_merge_claims(result[key], value)
         else
           # Otherwise, incoming value wins (override)
-          result[key] = value
+          value
         end
       else
         # New key, just add it
-        result[key] = value
+        value
       end
     end
 

app/services/oidc_jwt_service.rb

@@ -60,7 +60,7 @@ class OidcJwtService
       # Merge app-specific custom claims (highest priority, arrays are combined)
       payload = deep_merge_claims(payload, application.custom_claims_for_user(user))
 
-      JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
+      JWT.encode(payload, private_key, "RS256", {kid: key_id, typ: "JWT"})
     end
 
     # Generate a backchannel logout token (JWT)
@@ -84,12 +84,12 @@ class OidcJwtService
       }
 
       # Important: Do NOT include nonce in logout tokens (spec requirement)
-      JWT.encode(payload, private_key, "RS256", { kid: key_id, typ: "JWT" })
+      JWT.encode(payload, private_key, "RS256", {kid: key_id, typ: "JWT"})
     end
 
     # Decode and verify an ID token
     def decode_id_token(token)
-      JWT.decode(token, public_key, true, { algorithm: "RS256" })
+      JWT.decode(token, public_key, true, {algorithm: "RS256"})
     end
 
     # Get the public key in JWK format for the JWKS endpoint