diff --git a/Gemfile b/Gemfile
index 722324d812e281fb7557fe15a2ddac7b2317bbf5..ed547ada1e3e60c8eed6cc46a80e7da916e8e6ea 100644
--- a/Gemfile
+++ b/Gemfile
@@ -56,7 +56,7 @@ gem 'omniauth-authentiq', '~> 0.3.3'
 gem 'gitlab-omniauth-openid-connect', '~> 0.9.0', require: 'omniauth_openid_connect'
 gem 'omniauth-salesforce', '~> 1.0.5'
 gem 'omniauth-atlassian-oauth2', '~> 0.2.0'
-gem 'rack-oauth2', '~> 1.19.0'
+gem 'rack-oauth2', '~> 1.21.2'
 gem 'jwt', '~> 2.1.0'
 
 # Kerberos authentication. EE-only
diff --git a/Gemfile.lock b/Gemfile.lock
index 379f4a5d1cf49f752b9fe089c908df243d2d5ea6..96d07d3f2dc190c8a8df035be58e1b65e148b4ca 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1016,7 +1016,7 @@ GEM
       rack (>= 1.0, < 3)
     rack-cors (1.1.1)
       rack (>= 2.0.0)
-    rack-oauth2 (1.19.0)
+    rack-oauth2 (1.21.2)
       activesupport
       attr_required
       httpclient
@@ -1671,7 +1671,7 @@ DEPENDENCIES
   rack (~> 2.2.4)
   rack-attack (~> 6.6.0)
   rack-cors (~> 1.1.0)
-  rack-oauth2 (~> 1.19.0)
+  rack-oauth2 (~> 1.21.2)
   rack-proxy (~> 0.7.2)
   rack-timeout (~> 0.6.0)
   rails (~> 6.1.4.7)