As part of the implementation of this ADR, we determined that we needed
to make some of the endpoints that return JWTs able to produce
asymmetric JWTs as needed, since asymmetric JWTs are a requirement
in certain cases. This ADR update notes this additional consequence.
The decision to provide Restricted Applications expired
JWTs was superseded by another ADR. This commit simply
adds clarity around that change.
Co-authored-by: Phillip Shiu <pshiu@users.noreply.github.com>
To exchange jwt with session cookies we need to determine JWT grant type in
AccessTokenExchangeView. JWT only having password grant type will be allowed to exchange session.
Added ADR for mobile migration to JWT authentication.
LEARNER-8886
Exchange third party auth token wiith jwt token
since mobile platform is moving to jwt token we
need jwt token instead of access token now.
LEARNER-8517
Co-authored-by: Robert Raposa <rraposa@edx.org>
Moves the functionality from views._get_jwt_dict_from_access_token_dict
to a new method jwt.create_jwt_token_dict, which create a JWT version
of the passed token_dict. Also updates create_jwt_from_token to wrap
this call and return the "access_token" from the dict.
This will hopefully make it less likely that the token
dict attributes could get out of sync with the claims
inside the JWT.
Extract some jwt related methods to enable reuse across views.
This is in preparation for a change to AccessTokenExchangeView.
Co-authored-by: jawad-khan <jawadkhan444@gmail.com>
Introduces JWT_ACCESS_TOKEN_EXPIRE_SECONDS setting. This is the number
of seconds a JWT access token remains valid. We use this custom
setting for JWT formatted access tokens, rather than the
django-oauth-toolkit setting ACCESS_TOKEN_EXPIRE_SECONDS, because the
JWT is non-revocable and we want it to be shorter lived than the
legacy Bearer (opaque) access tokens, and thus to have a smaller
default.
BREAKING CHANGE: The thing that is breaking is that JWT access tokens
will now have a 1 hour default, instead of a 10 hours default. If
third-party scripts are appropriately checking/refreshing the access
token, this should be ok. However, you can always override with a
longer duration temporarily. From a security perspective, we don't
recommend a longer duration, and you may consider a shorter duration.
ARCHBOM-2099
BREAKING CHANGE: Removed unused and misleading custom attributes
used for monitoring:
* `jwt_expires_in`: Removed because it is constant for all requests
and just repeating the setting value. It was also misleading.
* `jwt_is_asymmetric`: Removed because multiple JWTs might be created,
and only the last would be reported, which is misleading. This was
meant to help with a future project to get everyone on to asymmetric
JWTs, but can be added when needed, and probably should ONLY monitor
deprecated (symmetric) usage that needs to be fixed. That can be left
for another day.
* Generate common/djangoapps import shims for LMS
* Generate common/djangoapps import shims for Studio
* Stop appending project root to sys.path
* Stop appending common/djangoapps to sys.path
* Import from common.djangoapps.course_action_state instead of course_action_state
* Import from common.djangoapps.course_modes instead of course_modes
* Import from common.djangoapps.database_fixups instead of database_fixups
* Import from common.djangoapps.edxmako instead of edxmako
* Import from common.djangoapps.entitlements instead of entitlements
* Import from common.djangoapps.pipline_mako instead of pipeline_mako
* Import from common.djangoapps.static_replace instead of static_replace
* Import from common.djangoapps.student instead of student
* Import from common.djangoapps.terrain instead of terrain
* Import from common.djangoapps.third_party_auth instead of third_party_auth
* Import from common.djangoapps.track instead of track
* Import from common.djangoapps.util instead of util
* Import from common.djangoapps.xblock_django instead of xblock_django
* Add empty common/djangoapps/__init__.py to fix pytest collection
* Fix pylint formatting violations
* Exclude import_shims/ directory tree from linting
This uses the new names introduced in edx-django-utils
3.8.0 (edx/edx-django-utils#59), which we're already using, as
well as updating a few other locations where we incorrectly refer
to New Relic custom metrics instead of custom attributes.
Includes a couple of unrelated lint fixes in a file I modified.
The following oauth_dispatch ADRs are being
marked as accepted, because they were implemented
and are in use in Open edX.
- 0006-enforce-scopes-in-LMS-APIs.rst
- 0007-include-organizations-in-tokens.rst
Given that, scopes have still not been widely
adopted in Open edX, which would require additional
decisions and investment.
Prepare to upgrade to django-oauth-toolkit (module name oauth2_provider) 1.3.2 concurrently with the Django 2.2 upgrade (versions after 1.1.3 dropped support for Django 1.11). Key points:
* We can stop using a commit hash since versions 1.3.0 through 1.3.2 have been released since that commit.
* The validator in oauth_dispatch migration 0002 has been removed from DOT, but the whole table was removed in migration 0004 anyway. Newer DOT versions moved where redirect URI validation happens so it's no longer needed here.
* DOT 1.3.0 squashed its original 6 migrations and immediately deleted them. This required some changes in oauth_dispatch migrations 0006 and 0007 to deal with either numbering system.
When deploying to stage and production, we'll need to delete the history for oauth2_provider migrations 0002-0006 first (the new squashed 0001 migration has the same name as the original 0001). The deployment with DOT 1.3.2 will add a new 0002 migration which should then apply cleanly on the existing database state.
Should resolve https://openedx.atlassian.net/browse/BOM-1456 .
The oauth2.enforce_jwt_scopes waffle switch was added temporarily for
the rollout of jwt scopes. This removes the toggle and replacing code
with the equivalent of `oauth2.enforce_jwt_scopes` as True.
Move to using the filters list provided in the ApplicationAccess model
to genarically store scopes instead of the org specific ApplicationOrg
model mapping.
