From 49dcb68a5e6978e29b4256e65c23fe5e2b9f3f6e Mon Sep 17 00:00:00 2001 From: Robert Raposa Date: Wed, 20 Jul 2022 17:02:33 -0400 Subject: [PATCH] docs: fix restricted app adr status (#30677) The decision to provide Restricted Applications expired JWTs was superseded by another ADR. This commit simply adds clarity around that change. Co-authored-by: Phillip Shiu --- .../docs/decisions/0005-restricted-application-for-SSO.rst | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0005-restricted-application-for-SSO.rst b/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0005-restricted-application-for-SSO.rst index d0ff2e2505..4a517de763 100644 --- a/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0005-restricted-application-for-SSO.rst +++ b/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0005-restricted-application-for-SSO.rst @@ -4,7 +4,9 @@ Status ------ -Accepted +Partially Replaced (see ADR `Enforce Scopes in LMS APIs`_) + +.. _Enforce Scopes in LMS APIs: https://github.com/openedx/edx-platform/blob/master/openedx/core/djangoapps/oauth_dispatch/docs/decisions/0006-enforce-scopes-in-LMS-APIs.rst#3-restricted-applications-receive-unexpired-jwts-signed-with-a-new-key Context ------- @@ -38,6 +40,9 @@ Although these applications can still request access tokens via the usual Authorization Code grant protocol, issue them only **expired** access tokens so they cannot make unauthorized calls to our API endpoints. +.. note:: + Although we still use the new model for "Restricted Applications", the decision to use **expired** access tokens has been superseded by ADR `Enforce Scopes in LMS APIs`_. That ADR specifies a different method to restrict "Restricted Applications" from accessing API endpoints that have not implemented Scopes. + Consequences ------------