doorkeeper-openid_connect is vulnerable to open redirect. The attack exists because it does not filter redirect_uri
in OAuth authorization request when handling custom parameters, causing an error response with the openid
scope and a prompt=none
value.