[DEPR]: USE-JWT-COOKIE header

[robrap]

Proposal Date

2023-08-14

Target Ticket Acceptance Date

2023-08-18

Earliest Open edX Named Release Without This Functionality

Quince - 2023-10

Rationale

The USE-JWT-COOKIE header was used by MFE's to inform backends when JWT cookies should be used. It has some complexities as detailed in the following ADR proposing its removal. See docs/decisions/0002-remove-use-jwt-cookie-header.rst in https://github.com/openedx/edx-drf-extensions/pull/197 (which hasn't merged as-of this initial ticket write up).

The complexity causes confusion, and we'd like to simplify that.

Removal

This PR introduces the replacement and ability to disable the old behavior:

• https://github.com/openedx/edx-drf-extensions/pull/197

This ticket details some of the follow-up cleanup work for full removal:

• https://github.com/openedx/edx-drf-extensions/issues/365

Replacement

The PR https://github.com/openedx/edx-drf-extensions/pull/197 also introduces the replacement, which is something called "forgiving JWT cookies", where we accept JWT cookies on all requests (not just those with a special header), but if it fails authentication, we allow the endpoint to try other forms of authentication before giving up.

Deprecation

No response

Migration

No response

Additional Info

No response

Task list

Note: To make life simpler for me (@robrap), I left searches for org openedx and edx together on this ticket.

• [x] Remove USE-JWT-COOKIE from edx-drf-extensions: https://github.com/edx/edx-arch-experiments/issues/429
• [X] Clean-up uses of ENABLE_FORGIVING_JWT_COOKIES.
• [ ] Add observability to all backends showing requests with USE-JWT-COOKIE header.
  • [ ] Ensure every backend is showing some traffic with the header, to be confident that when it disappears, it is not just due to invalid observability.
  • Note: Even thought the header is unused, all usage must stop before the backends can remove it from CORS_ALLOW_HEADERS in order to not break the caller.
• [ ] Stop sending header from all front-ends.
  • [ ] JavaScript updates for USE-JWT
    • [X] Practically all backends were updated with edx-drf-extensions>=10.2.0, so no longer require this header
    • See edx.org tracking spreadsheet for details per service.
    • [ ] [proposal] Add a frontend toggle to disable per MFE, at least for initial rollout across 1 or 2 MFEs.
    • [ ] Remove toggle and header for good.
    • This will be a breaking-change major version and should be commented that it will only work on services using edx-drf-extensions>=10.2.0.
  • [ ] Fix any other frontends sending the header, as detected by new observability in backends.
  • This could require a long wait even after all is fixed, because the JS in the wild needs to all be retired.
• [ ] Update backends that are no longer detecting the header.
  • [ ] Python updates for USE-JWT:
  • [ ] Remove all matches (any file type) from any backend repo where edx-drf-extensions== is 10.2.0+. Otherwise, for rare exceptions, add appropriate comments. See edx.org tracking spreadsheet.
  • There are many repos, so not adding them individually here.
  • See PRs merged and reverted, because this change was made before stopping header in callers.
  • [X] RST updates for USE-JWT, as needed.
  • [X] Remaining edx.org work moved to https://github.com/edx/edx-arch-experiments/issues/726
  • [ ] Clean-up for USE_JWT
  • [ ] Fix edx-platform: https://github.com/openedx/edx-platform/pull/35401
  • [x] Fix enterprise-catalog: https://github.com/openedx/enterprise-catalog/pull/925
  • [X] Remaining edx.org work moved to https://github.com/edx/edx-arch-experiments/issues/726
• [ ] Remove observability forUSE-JWT-COOKIE header.
• [ ] Final review of remaining USE-JWT for all languages

[robrap]

Note: This should move to "Removing" once accepted, since this work is in-progress.

[robrap]

A main part of this is complete. I updated the task list in the PR description regarding the long tail.

[robrap]

Update: I'm working on the next task, trying to get services upgraded. Unfortunately this uncovered an issue that arose in one service (2U-specific), and we've ticketed and will look into this. Private ticket link.

[jristau1984]

@robrap the internal ticket has been moved to Done.

[robrap]

Update: This ticket is mostly unblocked and the task list in this ticket has been updated to reflect next steps.

[robrap]

UPDATE: After learning that you cannot drop use-jet-cookie from CORS_ALLOW_HEADERS in any backend before all the frontends stop sending this header, the rest of this removal got more complicated. The PR description task list has been updated appropriately. I'm not sure when and if this work will proceed.