Versions Compared

Version Old Version 4 New Version Current
Changes made by

Robert Raposa

Robert Raposa

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

So you want to touch JWTs? may be useful for anyone working on any of these challenges.

Also see details about the potential funded contribution FC-18 here, labelled as

Status
colourGreen
titleIn FC-18
below.

Easier to use

These changes should make authentication easier to use for engineers.

  • Status
    colourBlue
    titleIn Progress
    Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-1218

    • A fresh ticket is probably in order here. I’m not clear on the final proposed solution, and where we need monitoring along the way, but this definitely adds complexity to our authentication, and I think there is a simpler way.

    • Jira Legacy
      serverSystem JIRA
      serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
      keyARCHBOM-1181
      (“unfinished”)

      • Not sure if this has any additional useful context, or is redundant and should be forgotten.

  • Status
    colourGreen
    titleIn FC-18
    Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-107

    • AUTHENTICATION_CLASSES is a default setting for DRF endpoints.

    • This would enable the use of JwtAuthentication from most edx-platform DRF endpoints.

    • DRF endpoints that override the default should be reviewed to see if the override can be deleted, once there is a sane default.

    • Order is an open question: JwtAuthentication before or after SessionAuthentication?

      • Unfortunately, due to differences noted in DEPR(#165), order matters.

      • Also, order matters until ARCHBOM-1218 is implemented.

    • For rollout, propose to add a custom version of BasicAuthentication in edx-platform that adds some monitoring to see how and if it is used in Production.

      • It would be good to drop BasicAuthentication from the defaults if we don’t actually want it.

  • Jira Legacystatus
    servercolourSystem JIRAGreen
    serverIdtitle13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-1218

    A fresh ticket is probably in order here. I’m not clear on the final proposed solution, and where we need monitoring along the way, but this definitely adds complexity to our authentication, and I think there is a simpler way.

    In FC-18
    https://github.com/openedx/edx-drf-extensions/issues/332

  • Status
    colourGreen
    titleIn FC-18
    Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-

    1181

    1183
    (“unfinished”)

    • Not sure if this has any additional useful context, or is redundant and should be forgotten.

  • https://github.com/openedx/edxpublic-drf-extensionsengineering/issues/332165

    • This may be complicated without further product input, but maybe the solution can be readied regardless.

  • https://github.com/openedx/edx-drf-extensions/issues/328

  • https://github.com/openedx/public-engineering/issues/165

  • Jira LegacyserverSystem JIRAserverId13fd1930-5608-3aac-a5dd-21b934d3a4b4keyARCHBOM-1183 (

  • “unfinished”)

    Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-1074
    (“unfinished”)

  • Adding an endpoint to LMS to expose the public signing keys. (Unticketed)

    • This would simplify key rotation. It came up at 2U for non-Open edX platform applications that may use the JWT cookie for SSO.

...

These changes should simplify authentication, which may affect engineers in certain cases, but possibly not as directly as the “Easier to use” category.

Authorization

The following tickets may be authorization related, and not really authentication related.

  • Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-1170
    (“unfinished”)

    • This is unblocked, because we no longer return expired JWTs for restricted applications.

  • Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-1162
    (“unfinished”)

    • Note: The code has since been updated to use, but override, the shared JwtAuthentication class to update global staff role during login.

Observability

Changes that might help with observability while monitoring other fixes. These should be kept in mind as we consider other dangerous changes that we with to monitor.

  • Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-545
    (“unfinished”)

    • I have since realized that MonitoringCustomMetricsMiddleware isn’t deployed by enough services, so might be better to just keep calling set_custom_attribute and hopefully the final call wins.

  • Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-142
    (“unfinished”)

  • Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-158
    (“unfinished”)

  • (Unticketed) It would be nice to have a failed_jwt_unauthenticated_user_id to know who may have been trying to authenticate.

Bugs?

  • Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-2028

  • Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-2031

  • Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-1262
    (“unfinished”)

  • Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-543
    (“unfinished”)

    • It is possible this may pass now that we are using a different library under the covers?

  • Jira Legacy
    serverSystem JIRA
    serverId13fd1930-5608-3aac-a5dd-21b934d3a4b4
    keyARCHBOM-1152

...