Versions Compared

Old Version 23

changes.mady.by.user Diana Huang

Saved on

compared with

New Version 24

changes.mady.by.user Tim McCormack

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • [Tim McCormack] Deployers must ensure that their JWT_PRIVATE_SIGNING_JWK Django setting in LMS contains the full complement of private key numbers.

    • In LMS, we are switching from the pyjwkest library to PyJWT for signing JWTs. (pyjwkest is now unmaintained.) However, PyJWT has stricter requirements for the private key in JWT_PRIVATE_SIGNING_JWK. Before you upgrade to Quince, you will need to update this key using the script at https://github.com/openedx/edx-platform/blob/master/scripts/jwk-precompute-params.py. This will ensure that your private key JSON contains the p, q, dp, dq, and qi params. Otherwise, JWT signing will fail, and users will be unable to log in.

    • This should be done while you are still running Palm, and should not have any visible effect at that time.

    • You may wish to compare the contents of the private key before and after running the script, and verify that the only changes it has made to the contents of the JSON are that the p, q, dp, dq, and qi params have been added. (Some or all may already have been present.)

    • This key must be handled very carefully. Anyone in possession of the key may impersonate users.

    [Tim McCormack] Deployers must ensure that for all of their IDAs, any JWT_PUBLIC_SIGNING_JWK_SET Django setting does not contain whitespace inside of the Base64 strings of the encoded keys.

    • This is related to edx-drf-extensions now using PyJWT instead of pyjwkest, which is overly permissive of spaces inside Base64. 2U discovered that several of their IDA configurations had a JWT_PUBLIC_SIGNING_JWK_SET setting that inadvertently contained whitespace inside the large Base64 strings. Before upgrading to Quince, ensure that there are no linebreaks or other whitespace inside Base64 strings in the JWT key settings. Otherwise, IDAs will produce 'Incorrect padding' errors.

    • For example broken/working configs see the edx-drf-extensions changelog for version 8.8.0; issue 346 has more detailed technical information.

  • [Awais Qureshi] Django-storages upgraded to latest version and it has some breaking changes.

    • The constructor kwarg bucket is no longer accepted. Instead, use bucket_name.

    • define default_acl value explicitly in constructor kwarg e.g default_acl: public-read. in previous versions django-storages provides default value as public-read but now it is none. So it's important to mention it explicitly as per your use case.

  • [Awais Qureshi] For Django 4.2 CSRF_TRUSTED_ORIGINS must include scheme. Update all urls there with schemes. e.g .edx.org changes to https://*.edx.org.

...