Support DEPR of USE-JWT-COOKIE with forgiving JWTs #429
Assignees
Comments
1 task
9 tasks
robrap
added a commit
to openedx/edx-platform
that referenced
this issue
Nov 27, 2023
edx-drf-extensions 9.0.0 requires VERIFY_LMS_USER_ID_PROPERTY_NAME to be properly set in LMS to get the appropriate verification when forgiving JWTs is enabled (which will soon be by default). See openedx/edx-drf-extensions#408 for details. This is part of: edx/edx-arch-experiments#429
robrap
added a commit
to openedx/edx-platform
that referenced
this issue
Nov 27, 2023
Upgrade edx-drf-extensions 9.0.0 Commit generated by workflow `openedx/edx-platform/.github/workflows/upgrade-one-python-dependency.yml@refs/heads/master` edx-drf-extensions 9.0.0 requires VERIFY_LMS_USER_ID_PROPERTY_NAME to be properly set in LMS to get the appropriate verification when forgiving JWTs is enabled (which will soon be by default). See openedx/edx-drf-extensions#408 for details. This is part of: edx/edx-arch-experiments#429 Co-authored-by: robrap <[email protected]>
robrap
added a commit
to robrap/ecommerce
that referenced
this issue
Nov 27, 2023
9.0.0 fixes ENABLE_FORGIVING_JWT_COOKIES bug. The JWT's LMS user id will now be compared to the user object's lms_user_id, rather than to its id. For details, see: openedx/edx-drf-extensions#408 Note that this won't be put into effect until ENABLE_FORGIVING_JWT_COOKIES is toggled on separately. Also, although this is a major upgrade, it only caused a backward-incompatible issue in edx-platform. There are no other changes required for ecommerce. This is part of the rollout of: edx/edx-arch-experiments#429
1 task
robrap
added a commit
to robrap/ecommerce
that referenced
this issue
Nov 28, 2023
9.0.0 fixes ENABLE_FORGIVING_JWT_COOKIES bug. The JWT's LMS user id will now be compared to the user object's lms_user_id, rather than to its id. For details, see: openedx/edx-drf-extensions#408 Note that this won't be put into effect until ENABLE_FORGIVING_JWT_COOKIES is toggled on separately. Also, although this is a major upgrade, it only caused a backward-incompatible issue in edx-platform. There are no other changes required for ecommerce. This is part of the rollout of: edx/edx-arch-experiments#429
christopappas
pushed a commit
to openedx-unsupported/ecommerce
that referenced
this issue
Nov 28, 2023
9.0.0 fixes ENABLE_FORGIVING_JWT_COOKIES bug. The JWT's LMS user id will now be compared to the user object's lms_user_id, rather than to its id. For details, see: openedx/edx-drf-extensions#408 Note that this won't be put into effect until ENABLE_FORGIVING_JWT_COOKIES is toggled on separately. Also, although this is a major upgrade, it only caused a backward-incompatible issue in edx-platform. There are no other changes required for ecommerce. This is part of the rollout of: edx/edx-arch-experiments#429
christopappas
pushed a commit
to openedx-unsupported/ecommerce
that referenced
this issue
Dec 4, 2023
9.0.0 fixes ENABLE_FORGIVING_JWT_COOKIES bug. The JWT's LMS user id will now be compared to the user object's lms_user_id, rather than to its id. For details, see: openedx/edx-drf-extensions#408 Note that this won't be put into effect until ENABLE_FORGIVING_JWT_COOKIES is toggled on separately. Also, although this is a major upgrade, it only caused a backward-incompatible issue in edx-platform. There are no other changes required for ecommerce. This is part of the rollout of: edx/edx-arch-experiments#429
robrap
added a commit
to openedx/edx-drf-extensions
that referenced
this issue
Dec 5, 2023
- Fixed bug for successful JWTs where the JWT user id was still using the service user id, rather than the LMS user id, so comparison against the LMS user id would fail. - As part of the bug fix, the custom attribute ``failed_jwt_cookie_user_id`` was renamed to ``jwt_cookie_lms_user_id``, and will be set for all JWT cookies. Since this is only a breaking change for recently added monitoring, this won't be versioned as a breaking change. This is part of: edx/edx-arch-experiments#429
9 tasks
robrap
added a commit
to openedx/edx-drf-extensions
that referenced
this issue
Dec 6, 2023
- Fixed bug for successful JWTs where the JWT user id was still using the service user id, rather than the LMS user id, so comparison against the LMS user id would fail. - As part of the bug fix, the custom attribute ``failed_jwt_cookie_user_id`` was renamed to ``jwt_cookie_lms_user_id``, and will be set for all JWT cookies. Since this is only a breaking change for recently added monitoring, this won't be versioned as a breaking change. This is part of: edx/edx-arch-experiments#429
robrap
added a commit
to openedx/edx-drf-extensions
that referenced
this issue
Dec 6, 2023
- Fixed bug for successful JWTs where the JWT user id was still using the service user id, rather than the LMS user id, so comparison against the LMS user id would fail. - As part of the bug fix, the custom attribute ``failed_jwt_cookie_user_id`` was renamed to ``jwt_cookie_lms_user_id``, and will be set for all JWT cookies. Since this is only a breaking change for recently added monitoring, this won't be versioned as a breaking change. This is part of: edx/edx-arch-experiments#429
robrap
added a commit
to robrap/ecommerce
that referenced
this issue
Dec 6, 2023
9.0.1 fixes ENABLE_FORGIVING_JWT_COOKIES bug. This build on the 9.0.0 fix, but applies the fix to another place where the JWT's LMS user id will be compared in place of the newly authenticated service user's id. For details, see: openedx/edx-drf-extensions#414 Note that this won't be put into effect until ENABLE_FORGIVING_JWT_COOKIES is toggled on separately. This is part of the rollout of: edx/edx-arch-experiments#429
2 tasks
christopappas
pushed a commit
to openedx-unsupported/ecommerce
that referenced
this issue
Dec 6, 2023
9.0.1 fixes ENABLE_FORGIVING_JWT_COOKIES bug. This build on the 9.0.0 fix, but applies the fix to another place where the JWT's LMS user id will be compared in place of the newly authenticated service user's id. For details, see: openedx/edx-drf-extensions#414 Note that this won't be put into effect until ENABLE_FORGIVING_JWT_COOKIES is toggled on separately. This is part of the rollout of: edx/edx-arch-experiments#429
robrap
added a commit
to openedx/edx-drf-extensions
that referenced
this issue
Jan 3, 2024
Simplified JWT cookie vs session user check by checking username instead of lms user id. - Removed ``VERIFY_LMS_USER_ID_PROPERTY_NAME``, which is no longer needed. - Removed custom attribute ``jwt_auth_get_lms_user_id_status``, since we no longer attempt to get the lms_user_id from the user object. - Renames custom attribute ``jwt_auth_mismatch_session_lms_user_id`` to ``jwt_auth_mismatch_session_username``. - Adds custom attribute ``jwt_auth_mismatch_jwt_cookie_username``. - Adds custom attribute ``jwt_cookie_unsafe_decode_issue`` for when a JWT cookie cannot even be unsafely decoded. Part of edx/edx-arch-experiments#429
8 tasks
robrap
added a commit
to openedx/edx-drf-extensions
that referenced
this issue
Jan 3, 2024
Simplified JWT cookie vs session user check by checking username instead of lms user id. - Removed ``VERIFY_LMS_USER_ID_PROPERTY_NAME``, which is no longer needed. - Removed custom attribute ``jwt_auth_get_lms_user_id_status``, since we no longer attempt to get the lms_user_id from the user object. - Renames custom attribute ``jwt_auth_mismatch_session_lms_user_id`` to ``jwt_auth_mismatch_session_username``. - Adds custom attribute ``jwt_auth_mismatch_jwt_cookie_username``. - Adds custom attribute ``jwt_cookie_unsafe_decode_issue`` for when a JWT cookie cannot even be unsafely decoded. Part of edx/edx-arch-experiments#429
robrap
added a commit
to robrap/ecommerce
that referenced
this issue
Jan 4, 2024
9.1.0 refactores ENABLE_FORGIVING_JWT_COOKIES to use username match to compare the session user with the JWT cookie user. For details, see: openedx/edx-drf-extensions#422 This is part of the rollout of: edx/edx-arch-experiments#429
robrap
added a commit
to openedx/edx-drf-extensions
that referenced
this issue
Jan 4, 2024
Simplified JWT cookie vs session user check by checking username instead of lms user id. - Removed ``VERIFY_LMS_USER_ID_PROPERTY_NAME``, which is no longer needed. - Removed custom attribute ``jwt_auth_get_lms_user_id_status``, since we no longer attempt to get the lms_user_id from the user object. - Renames custom attribute ``jwt_auth_mismatch_session_lms_user_id`` to ``jwt_auth_mismatch_session_username``. - Adds custom attribute ``jwt_auth_mismatch_jwt_cookie_username``. - Adds custom attribute ``jwt_cookie_unsafe_decode_issue`` for when a JWT cookie cannot even be unsafely decoded. Part of edx/edx-arch-experiments#429
2 tasks
christopappas
pushed a commit
to openedx-unsupported/ecommerce
that referenced
this issue
Jan 4, 2024
* feat: upgrade edx-drf-extensions to 9.1.0 9.1.0 refactores ENABLE_FORGIVING_JWT_COOKIES to use username match to compare the session user with the JWT cookie user. For details, see: openedx/edx-drf-extensions#422 This is part of the rollout of: edx/edx-arch-experiments#429 * fix: update comments for social-auth-app-django Updating dependencies brought in missing comment about social-auth-app-django, which is now in constraints.txt.
robrap
added a commit
to openedx/edx-drf-extensions
that referenced
this issue
Jan 5, 2024
The fix was to use `preferred_username` in place of `username`. This also fixes/updates some tests for updated custom attributes. Squashed commit message below: ------------------------------ Restores and fixes simplified JWT cookie vs session user check by checking username instead of lms user id (originally introduced in 9.1.0, and removed in 9.1.1). - Removed ``VERIFY_LMS_USER_ID_PROPERTY_NAME``, which is no longer needed. - Removed custom attribute ``jwt_auth_get_lms_user_id_status``, since we no longer attempt to get the lms_user_id from the user object. - Renames custom attribute ``jwt_auth_mismatch_session_lms_user_id`` to ``jwt_auth_mismatch_session_username``. - Adds custom attribute ``jwt_auth_mismatch_jwt_cookie_username``. - Adds custom attribute ``jwt_cookie_unsafe_decode_issue`` for when a JWT cookie cannot even be unsafely decoded. - Fixes mock JWT creation for tests to use ``preferred_username``, which is configured in each Open edX service. Part of edx/edx-arch-experiments#429
9 tasks
robrap
added a commit
to openedx/edx-drf-extensions
that referenced
this issue
Jan 8, 2024
Restores and fixes simplified JWT cookie vs session user check by checking username instead of lms user id (originally introduced in 9.1.0, and removed in 9.1.1). - Removed ``VERIFY_LMS_USER_ID_PROPERTY_NAME``, which is no longer needed. - Removed custom attribute ``jwt_auth_get_lms_user_id_status``, since we no longer attempt to get the lms_user_id from the user object. - Renames custom attribute ``jwt_auth_mismatch_session_lms_user_id`` to ``jwt_auth_mismatch_session_username``. - Adds custom attribute ``jwt_auth_mismatch_jwt_cookie_username``. - Adds custom attribute ``jwt_cookie_unsafe_decode_issue`` for when a JWT cookie cannot even be unsafely decoded. - Fixes mock JWT creation for tests to use ``preferred_username``, which is configured in each Open edX service. Part of edx/edx-arch-experiments#429
robrap
added a commit
to robrap/ecommerce
that referenced
this issue
Jan 8, 2024
9.1.2 refactors ENABLE_FORGIVING_JWT_COOKIES to use username match to compare the session user with the JWT cookie user. For details, see: openedx/edx-drf-extensions#425 This is part of the rollout of: edx/edx-arch-experiments#429
2 tasks
christopappas
pushed a commit
to openedx-unsupported/ecommerce
that referenced
this issue
Jan 9, 2024
9.1.2 refactors ENABLE_FORGIVING_JWT_COOKIES to use username match to compare the session user with the JWT cookie user. For details, see: openedx/edx-drf-extensions#425 This is part of the rollout of: edx/edx-arch-experiments#429
21 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is to support Axim in rolling out forgiving JWTs.
See https://2u-internal.atlassian.net/wiki/spaces/AT/pages/561872906/Deployment+Plan+for+DEPR+of+USE-JWT-COOKIE+using+forgiving+JWTs
The text was updated successfully, but these errors were encountered: