-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UAA-Release v78+ Breaking Changes Planning #739
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/186790434 The labels on this github issue will be updated when the story is started. |
- we cannot find any current usage of new relic integration, hence it is planned to be removed in the next UAA major release (see: #739) - removing it reduces false positives in CVE scanning and reduces the bosh release size [#186179693] Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
- we cannot find any current usage of new relic integration, hence it is planned to be removed in the next UAA major release (see: #739) - removing it reduces false positives in CVE scanning and reduces the bosh release size [#186179693] Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
- we cannot find any current usage of new relic integration, hence it is planned to be removed in the next UAA major release (see: #739) - removing it reduces false positives in CVE scanning and reduces the bosh release size [#186179693] Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
@peterhaochen47 is there a plan, when you will release v77 ? |
@strehle, on our side, the only outstanding item is the MFA feature removal, which is underway (ETA = a few days). Your colleagues said in our last OSS sync that your team had no outstanding item for v77 but was also not in urgent need to release, is that accurate? |
No urgency, correct but after 3 weeks now I simply would think about a release simply that we have CI into cf-deployment |
- Context about its deprecation: - This feature is under-utilized, and requires further maintenance for which our team lacks the resource. (For example, this feature is potentially vulnerable because a secure Content-Security-Policy cannot be applied to its pages without breaking them.) The feature has also been marked as "not ready for production" for a few years now. So we opt to remove the feature and instead recommend using the external IDPs's own MFA features. See more context in #2196. - This commit removes all MFA-specific codes, except for the following, on which we will make follow-up commits: - README's deprecation notice - database operations - Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29) - breaking changes planning: cloudfoundry/uaa-release#739 - Further notes about specific changes in tests: - For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion on response code is changed from 401 to 403. This is because 403 was the original asserted value before MFA was added (see: 92abee6). The 403 response also makes sense in the context of the test (authentication present but has insufficient access). [#186854489]
- the MFA feature has long been deprecated and will soon be removed in the next release, see: cloudfoundry/uaa#2717 - see breaking change planning: #739 [#186854489]
- the MFA feature has long been deprecated and will soon be removed in the next release, see: cloudfoundry/uaa#2717 - see breaking change planning: #739 [#186854489]
- Context about its deprecation: - This feature is under-utilized, and requires further maintenance for which our team lacks the resource. (For example, this feature is potentially vulnerable because a secure Content-Security-Policy cannot be applied to its pages without breaking them.) The feature has also been marked as "not ready for production" for a few years now. So we opt to remove the feature and instead recommend using the external IDPs's own MFA features. See more context in #2196. - This commit removes all MFA-specific codes, except for the following, on which we will make follow-up commits: - README's deprecation notice - database operations - Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29) - breaking changes planning: cloudfoundry/uaa-release#739 - Further notes about specific changes in tests: - For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion on response code is changed from 401 to 403. This is because 403 was the original asserted value before MFA was added (see: 92abee6). The 403 response also makes sense in the context of the test (authentication present but has insufficient access). [#186854489]
- Context about its deprecation: - This feature is under-utilized, and requires further maintenance for which our team lacks the resource. (For example, this feature is potentially vulnerable because a secure Content-Security-Policy cannot be applied to its pages without breaking them.) The feature has also been marked as "not ready for production" for a few years now. So we opt to remove the feature and instead recommend using the external IDPs's own MFA features. See more context in #2196. - This commit removes all MFA-specific codes, except for the following, on which we will make follow-up commits: - README's deprecation notice - database operations - Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29) - breaking changes planning: cloudfoundry/uaa-release#739 - Further notes about specific changes in tests: - For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion on response code is changed from 401 to 403. This is because 403 was the original asserted value before MFA was added (see: 92abee6). The 403 response also makes sense in the context of the test (authentication present but has insufficient access). [#186854489]
- Context about its deprecation: - This feature is under-utilized, and requires further maintenance for which our team lacks the resource. (For example, this feature is potentially vulnerable because a secure Content-Security-Policy cannot be applied to its pages without breaking them.) The feature has also been marked as "not ready for production" for a few years now. So we opt to remove the feature and instead recommend using the external IDPs's own MFA features. See more context in #2196. - This commit removes all MFA-specific codes, except for the following, on which we will make follow-up commits: - README's deprecation notice - database operations - Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29) - breaking changes planning: cloudfoundry/uaa-release#739 - Further notes about specific changes in tests: - For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion on response code is changed from 401 to 403. This is because 403 was the original asserted value before MFA was added (see: 92abee6). The 403 response also makes sense in the context of the test (authentication present but has insufficient access). [#186854489]
In consideration for v78
Done for v77
Other candidates
/check_token
endpointjwt
toopaque
: Combination of the default values ofuaa.jwt.refresh.format
(jwt) anduaa.jwt.revocable
(false) results in spec-non-compliance #813The text was updated successfully, but these errors were encountered: