[DEPR]: USE-JWT-COOKIE header

[robrap]

RFC Start Date

2023-08-14

Target Plan Accepted Date

2023-08-18

Target Transition Unblocked Date

Ready now:

• As of Ulmo (or earlier), the backends no longer require the USE-JWT-COOKIE header, except in CORS_ALLOW_HEADERS.
• The frontends can stop sending the header now.

Not yet ready:

• The backends are not yet ready for clean-up from CORS_ALLOW_HEADERS.

Earliest Breaking Changes Unblocked Date

Removal of this header from CORS_ALLOW_HEADERS is blocked until at least a named release after the frontend clean-up has been completed. This may also require observability in the named release before CORS_ALLOW_HEADERS removal as well.

Rationale

The USE-JWT-COOKIE header was used by MFE's to inform backends when JWT cookies should be used. It has some complexities as detailed in the following ADR proposing its removal. See docs/decisions/0002-remove-use-jwt-cookie-header.rst in #197 (which hasn't merged as-of this initial ticket write up).

The complexity causes confusion, and we'd like to simplify that.

Removal

This PR introduces the replacement and ability to disable the old behavior:

• fix: use forgiving jwt authentication #197

This ticket details some of the follow-up cleanup work for full removal:

• Cleanup ENABLE_FORGIVING_JWT_COOKIES toggle and related code #365

Replacement

The PR #197 also introduces the replacement, which is something called "forgiving JWT cookies", where we accept JWT cookies on all requests (not just those with a special header), but if it fails authentication, we allow the endpoint to try other forms of authentication before giving up.

Deprecation

No response

Migration

No response

Additional Info

No response

Task list

Note: To make life simpler for me (@robrap), I left searches for org openedx and edx together on this ticket.

• Remove USE-JWT-COOKIE from edx-drf-extensions: Support DEPR of USE-JWT-COOKIE with forgiving JWTs edx/edx-arch-experiments#429
• Clean-up uses of ENABLE_FORGIVING_JWT_COOKIES.
• Front-end clean-up: stop sending header from all front-ends.
  • Remove JavaScript usage of USE-JWT from frontend-platform and frontend-base.
    • This is a breaking-change that requires the backends to using edx-drf-extensions>=10.2.0, which should be the case.
• Add observability to all backends showing requests with USE-JWT-COOKIE header. Maybe protected by a toggle, and reporting on all CORS_ALLOW_HEADERS? We'll want to see positive results to tell the difference between missing headers and missing observability code.
• Update backends that are no longer detecting the header (requires observability). Important: Even though the header is unused, all usage must stop before a backend can remove it in order to not break the caller.
  • See Python updates for USE-JWT:
    • Remove all matches (any file type) from any backend repo where edx-drf-extensions== is 10.2.0+. Otherwise, for rare exceptions, add appropriate comments.
    • Potentially review edx.org tracking spreadsheet.
    • These PRs were merged and reverted, because this change was made before stopping header in callers.
  • RST updates for USE-JWT, as needed.
    • Remaining edx.org work moved to [DEPR-2U] Use-Jwt-Cookie header edx/edx-arch-experiments#726
  • Clean-up for USE_JWT
    • Fix edx-platform: feat: DEPR USE-JWT-COOKIE header - Part 1 openedx-platform#35401
    • Fix enterprise-catalog: feat: DEPR USE-JWT-COOKIE header - Part 1 enterprise-catalog#925
  • Remaining edx.org work moved to [DEPR-2U] Use-Jwt-Cookie header edx/edx-arch-experiments#726
• Possibly remove observability for USE-JWT-COOKIE header, unless it was implemented more generally with a setting.
• Final review of remaining USE-JWT for all languages

[robrap]

Note: This should move to "Removing" once accepted, since this work is in-progress.