Open robrap opened 1 year ago
Note: This should move to "Removing" once accepted, since this work is in-progress.
A main part of this is complete. I updated the task list in the PR description regarding the long tail.
Update: I'm working on the next task, trying to get services upgraded. Unfortunately this uncovered an issue that arose in one service (2U-specific), and we've ticketed and will look into this. Private ticket link.
@robrap the internal ticket has been moved to Done.
Update: This ticket is mostly unblocked and the task list in this ticket has been updated to reflect next steps.
UPDATE: After learning that you cannot drop use-jet-cookie
from CORS_ALLOW_HEADERS in any backend before all the frontends stop sending this header, the rest of this removal got more complicated. The PR description task list has been updated appropriately. I'm not sure when and if this work will proceed.
Proposal Date
2023-08-14
Target Ticket Acceptance Date
2023-08-18
Earliest Open edX Named Release Without This Functionality
Quince - 2023-10
Rationale
The USE-JWT-COOKIE header was used by MFE's to inform backends when JWT cookies should be used. It has some complexities as detailed in the following ADR proposing its removal. See docs/decisions/0002-remove-use-jwt-cookie-header.rst in https://github.com/openedx/edx-drf-extensions/pull/197 (which hasn't merged as-of this initial ticket write up).
The complexity causes confusion, and we'd like to simplify that.
Removal
This PR introduces the replacement and ability to disable the old behavior:
This ticket details some of the follow-up cleanup work for full removal:
Replacement
The PR https://github.com/openedx/edx-drf-extensions/pull/197 also introduces the replacement, which is something called "forgiving JWT cookies", where we accept JWT cookies on all requests (not just those with a special header), but if it fails authentication, we allow the endpoint to try other forms of authentication before giving up.
Deprecation
No response
Migration
No response
Additional Info
No response
Task list
Note: To make life simpler for me (@robrap), I left searches for org openedx and edx together on this ticket.
USE-JWT-COOKIE
from edx-drf-extensions: https://github.com/edx/edx-arch-experiments/issues/429CORS_ALLOW_HEADERS
in order to not break the caller.USE-JWT-COOKIE
header.