Page Comparison

...

These changes should make authentication easier to use for engineers.

• Status
  colour Blue title In Progress

  Jira Legacy
  server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-1218

  • A fresh ticket is probably in order here. I’m not clear on the final proposed solution, and where we need monitoring along the way, but this definitely adds complexity to our authentication, and I think there is a simpler way.

  • Jira Legacy
    server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-1181

    (“unfinished”)

    • Not sure if this has any additional useful context, or is redundant and should be forgotten.

• Status
  colour Green title In FC-18

  Jira Legacy
  server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-107

  • AUTHENTICATION_CLASSES is a default setting for DRF endpoints.

  • This would enable the use of JwtAuthentication from most edx-platform DRF endpoints.

  • DRF endpoints that override the default should be reviewed to see if the override can be deleted, once there is a sane default.

  • Order is an open question: JwtAuthentication before or after SessionAuthentication?

    • Unfortunately, due to differences noted in DEPR(#165), order matters.

    • Also, order matters until ARCHBOM-1218 is implemented.

  • For rollout, propose to add a custom version of BasicAuthentication in edx-platform that adds some monitoring to see how and if it is used in Production.

    • It would be good to drop BasicAuthentication from the defaults if we don’t actually want it.

• Status
  colour BlueGreen title In Progress

  Jira Legacy
  server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-1218

• A fresh ticket is probably in order here. I’m not clear on the final proposed solution, and where we need monitoring along the way, but this definitely adds complexity to our authentication, and I think there is a simpler way.

FC-18

https://github.com/openedx/edx-drf-extensions/issues/332

• Status
  colour Green title In FC-18

  Jira Legacy
  server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-

  1181

  1183

  (“unfinished”)

  • Not sure if this has any additional useful context, or is redundant and should be forgotten.

  status

  colour	Green
  title	In FC-18

• https://github.com/openedx/edxpublic-drf-extensionsengineering/issues/332165

• https://github.com/openedx/edx-drf-extensions/issues/328https://github.com/openedx/public-engineering/issues/165

• Status
  colour Green title In FC-18

  Jira Legacy
  server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-1183

  (“unfinished”)

  Jira Legacy
  server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-1074

  (“unfinished”)

• Adding an endpoint to LMS to expose the public signing keys. (Unticketed)

  • This would simplify key rotation. It came up at 2U for non-Open edX platform applications that may use the JWT cookie for SSO.

...

• Status
  colour Green title In FC-18

  https://github.com/openedx/edx-drf-extensions/issues/333

  • New implementation ticket for https://github.com/openedx/public-engineering/issues/83

  • This would simplify authentication and maintenance, but wouldn’t necessarily add functionality.

• https://github.com/openedx/public-engineering/issues/190

• Status
  colour Green title In FC-18

  https://github.com/openedx/edx-drf-extensions/issues/327

• https://github.com/openedx/public-engineering/issues/189

  • Related: For some of the past removal work, the new api client wasn’t used, and instead a straight requests object was used and worked with the user’s JWT for service-to-service calls.

    • The intention was not to add this functionality to the new client, because it was thought that the client credentials token should be used instead.

    • If feels like we should have an ADR that clarifies what should be used where, and potentially enhances the client if we wish to allow for other ways of using it.

    • The client also provided shared observability, but that only works when it is used.

• https://github.com/openedx/edx-drf-extensions/issues/284

  • To be considered.

• https://github.com/openedx/public-engineering/issues/190

• https://github.com/openedx/public-engineering/issues/82

• Jira Legacy
  server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-1172

  (“unfinished”)

  • Probably requires working in Prospectus.

• Jira Legacy
  server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-1077

  (“unfinished”)

  • Related?

    Jira Legacy
    server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-1168

    (“unfinished”)

Authorization

The following tickets may be authorization related, and not really authentication related.

• Jira Legacy
  server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-1170

  (“unfinished”)

  • This is unblocked, because we no longer return expired JWTs for restricted applications.

• Jira Legacy
  server System JIRA serverId 13fd1930-5608-3aac-a5dd-21b934d3a4b4 key ARCHBOM-1162

  (“unfinished”)

  • Note: The code has since been updated to use, but override, the shared JwtAuthentication class to update global staff role during login.

Observability

Changes that might help with observability while monitoring other fixes. These should be kept in mind as we consider other dangerous changes that we with to monitor.

...