...
[Tim McCormack] Deployers must ensure that their
JWT_PRIVATE_SIGNING_JWK
Django setting in LMS contains the full complement of private key numbers.In LMS, we are switching from the pyjwkest library to PyJWT for signing JWTs. (pyjwkest is now unmaintained.) However, PyJWT has stricter requirements for the private key in
JWT_PRIVATE_SIGNING_JWK
. Before you upgrade to Quince, you will need to update this key using the script at https://github.com/openedx/edx-platform/blob/master/scripts/jwk-precompute-params.py. This will ensure that your private key JSON contains thep
,q
,dp
,dq
, andqi
params. Otherwise, JWT signing will fail, and users will be unable to log in.This should be done while you are still running Palm, and should not have any visible effect at that time.
You may wish to compare the contents of the private key before and after running the script, and verify that the only changes it has made to the contents of the JSON are that the
p
,q
,dp
,dq
, andqi
params have been added. (Some or all may already have been present.)This key must be handled very carefully. Anyone in possession of the key may impersonate users.
[Tim McCormack] Deployers must ensure that for all of their IDAs, any
JWT_PUBLIC_SIGNING_JWK_SET
Django setting does not contain whitespace inside of the Base64 strings of the encoded keys.This is related to edx-drf-extensions now using PyJWT instead of pyjwkest, which is overly permissive of spaces inside Base64. 2U discovered that several of their IDA configurations had a
JWT_PUBLIC_SIGNING_JWK_SET
setting that inadvertently contained whitespace inside the large Base64 strings. Before upgrading to Quince, ensure that there are no linebreaks or other whitespace inside Base64 strings in the JWT key settings. Otherwise, IDAs will produce 'Incorrect padding' errors.For example broken/working configs see the edx-drf-extensions changelog for version 8.8.0; issue 346 has more detailed technical information.
[Awais Qureshi] Django-storages upgraded to latest version and it has some breaking changes.
The constructor
kwarg
Âbucket
 is no longer accepted. Instead, useÂbucket_name
.define
default_acl
value explicitly in constructor kwarg e.gdefault_acl: public-read
. in previous versionsdjango-storages
provides default value aspublic-read
but now it is none. So it's important to mention it explicitly as per your use case.
[Awais Qureshi] For Django 4.2
CSRF_TRUSTED_ORIGINS
must include scheme. Update all urls there with schemes. e.g.edx.org
changes tohttps://*.edx.org
.
...