docs: fix restricted app adr status (#30677)

The decision to provide Restricted Applications expired JWTs was superseded by another ADR. This commit simply adds clarity around that change. Co-authored-by: Phillip Shiu <pshiu@users.noreply.github.com>
2022-07-20 17:02:33 -04:00
parent ebf257813b
commit 49dcb68a5e
1 changed files with 6 additions and 1 deletions
--- a/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0005-restricted-application-for-SSO.rst
+++ b/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0005-restricted-application-for-SSO.rst
@@ -4,7 +4,9 @@
 Status
 ------

-Accepted
+Partially Replaced (see ADR `Enforce Scopes in LMS APIs`_)
+
+.. _Enforce Scopes in LMS APIs: https://github.com/openedx/edx-platform/blob/master/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0006-enforce-scopes-in-LMS-APIs.rst#3-restricted-applications-receive-unexpired-jwts-signed-with-a-new-key

 Context
 -------
@@ -38,6 +40,9 @@ Although these applications can still request access tokens via the usual
 Authorization Code grant protocol, issue them only **expired** access tokens
 so they cannot make unauthorized calls to our API endpoints.

+.. note::
+    Although we still use the new model for "Restricted Applications", the decision to use **expired** access tokens has been superseded by ADR `Enforce Scopes in LMS APIs`_. That ADR specifies a different method to restrict "Restricted Applications" from accessing API endpoints that have not implemented Scopes.
+
 Consequences
 ------------