Merging to release-5.3: [TT-11426/TT-13322]add deprecation notice for oidc middleware (#6686)

buger commented 4 weeks ago

User description

[TT-11426/TT-13322]add deprecation notice for oidc middleware (#6686)

User description

Summary	Add warning message in GW logs, schema and go docs
Type	Sub-task
Status	In Dev
Points	N/A
Labels	QA_Fail

Description

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

[ ] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to change)
[ ] Refactoring or add test (improvements in base code or adds test coverage to functionality)

Checklist

[ ] I ensured that the documentation is up to date
[ ] I explained why this PR updates go.mod in detail with reasoning why it's required
[ ] I would like a code coverage CI quality gate exception and have explained why

PR Type

documentation, enhancement

Description

Added deprecation notices for OpenID Connect middleware and OIDC authentication mode in code comments and documentation.
Introduced log warnings in the OpenID middleware to inform users of the deprecation.
Recommended using JSON Web Token (JWT) as an alternative to avoid disruptions.

Changes walkthrough 📝

Relevant files

Documentation

api_definitions.go `Add deprecation notice for OpenID Connect middleware` apidef/api_definitions.go Added deprecation notice for OpenID Connect middleware. Recommended using JSON Web Token (JWT) instead.	+3/-0
authentication.go `Add deprecation notice for OIDC authentication mode` apidef/oas/authentication.go Added deprecation notice for OIDC authentication mode. Recommended using JSON Web Token (JWT) instead.	+3/-0
x-tyk-api-gateway.json `Add deprecation notice for external OAuth Middleware` apidef/oas/schema/x-tyk-api-gateway.json Added deprecation notice for external OAuth Middleware. Recommended using JSON Web Token (JWT) instead.	+1/-0

Enhancement

mw_openid.go

Add log warning for
deprecated OpenID Connect Middleware

gateway/mw_openid.go

Added log warning for deprecated OpenID Connect Middleware.

Recommended using JSON Web Token (JWT) instead.

+4/-0

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

PR Type

Documentation, Enhancement

Description

Added deprecation notices for OpenID Connect middleware and OIDC authentication mode in code comments and documentation.
Introduced log warnings in the OpenID middleware to inform users of the deprecation.
Recommended using JSON Web Token (JWT) as an alternative to avoid disruptions.

Changes walkthrough 📝

Relevant files

Documentation

api_definitions.go `Add deprecation notice for OpenID Connect middleware` apidef/api_definitions.go Added deprecation notice for OpenID Connect middleware. Recommended using JSON Web Token (JWT) instead.	+3/-0
authentication.go `Add deprecation notice for OIDC authentication mode` apidef/oas/authentication.go Added deprecation notice for OIDC authentication mode. Recommended using JSON Web Token (JWT) instead.	+3/-0
x-tyk-api-gateway.json `Add deprecation notice for external OAuth Middleware` apidef/oas/schema/x-tyk-api-gateway.json Added deprecation notice for external OAuth Middleware. Recommended using JSON Web Token (JWT) instead.	+1/-0

Enhancement

mw_openid.go

Add log warning for deprecated OpenID Connect Middleware

gateway/mw_openid.go

Added log warning for deprecated OpenID Connect Middleware.

Recommended using JSON Web Token (JWT) instead.

+4/-0

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

github-actions[bot] commented 4 weeks ago

API Changes

--- prev.txt    2024-10-31 14:27:41.398260857 +0000
+++ current.txt 2024-10-31 14:27:38.490272916 +0000
@@ -1593,6 +1593,10 @@
    Providers         []OIDProviderConfig `bson:"providers" json:"providers"`
    SegregateByClient bool                `bson:"segregate_by_client" json:"segregate_by_client"`
 }
+    OpenID Connect middleware support will be deprecated
+    starting from 5.7.0. To avoid any disruptions, we recommend
+    that you use JSON Web Token (JWT) instead, as explained in
+    https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/.

 type PersistGraphQLMeta struct {
    Path      string                 `bson:"path" json:"path"`
@@ -3485,7 +3489,10 @@
    // Scopes contains the defined scope claims.
    Scopes *Scopes `bson:"scopes,omitempty" json:"scopes,omitempty"`
 }
-    OIDC contains configuration for the OIDC authentication mode.
+    OIDC contains configuration for the OIDC authentication mode. OIDC
+    support will be deprecated starting from 5.7.0. To avoid any disruptions,
+    we recommend that you use JSON Web Token (JWT) instead, as explained in
+    https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/.

 func (o *OIDC) ExtractTo(api *apidef.APIDefinition)
     ExtractTo extracts *OIDC to *apidef.APIDefinition.

github-actions[bot] commented 4 weeks ago

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

**🎫 Ticket compliance analysis ✅** **[6686](https://github.com/TykTechnologies/tyk/issues/6686) - Fully compliant** Fully compliant requirements: - Add warning message in GW logs, schema, and go docs for deprecating OIDC middleware. - Recommend using JSON Web Token (JWT) as an alternative.

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review

Deprecation Notice
Ensure the deprecation notice for OpenID Connect middleware is clear and provides all necessary information for migration to JWT. Deprecation Notice
Verify the deprecation notice for OIDC authentication mode is accurate and guides users effectively towards using JWT. Log Warning
Check the log warning for deprecated OpenID Connect Middleware to ensure it's triggered under the correct conditions and is informative. Schema Update
Confirm the schema update includes a clear deprecation notice for external OAuth Middleware and directs users appropriately to JWT.

github-actions[bot] commented 4 weeks ago

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Possible issue	Add a return statement to halt further execution after a deprecation warning if OpenID Connect Middleware is enabled ___ Consider adding a return statement after logging the deprecation warning to prevent further execution when OpenID Connect Middleware is enabled. [gateway/mw_openid.go [34-36]](https://github.com/TykTechnologies/tyk/pull/6687/files#diff-a389c2a490b728d3bf6ed64f974b227117fb451aa2da8ce8df8c859e7cdc718aR34-R36) ```diff if k.Spec.UseOpenID { log.Warn("Support for OpenID Connect Middleware will be deprecated starting from 5.7.0. To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead, as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/") + return false } ``` Suggestion importance[1-10]: 8 Why: The suggestion to add a return statement after logging the deprecation warning is valid and impactful. It prevents further execution when OpenID Connect Middleware is enabled, aligning with the deprecation notice and encouraging users to switch to JWT, thus avoiding potential issues with deprecated functionality.	8