UAA-Release v78+ Breaking Changes Planning #739
Labels
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/186790434 The labels on this github issue will be updated when the story is started. |
peterhaochen47
changed the title
peterhaochen47
added a commit
that referenced
this issue
Jan 22, 2024
- we cannot find any current usage of new relic integration, hence it is planned to be removed in the next UAA major release (see: #739) - removing it reduces false positives in CVE scanning and reduces the bosh release size [#186179693] Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
Merged
peterhaochen47
added a commit
that referenced
this issue
Jan 24, 2024
- we cannot find any current usage of new relic integration, hence it is planned to be removed in the next UAA major release (see: #739) - removing it reduces false positives in CVE scanning and reduces the bosh release size [#186179693] Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
peterhaochen47
added a commit
that referenced
this issue
Jan 25, 2024
- we cannot find any current usage of new relic integration, hence it is planned to be removed in the next UAA major release (see: #739) - removing it reduces false positives in CVE scanning and reduces the bosh release size [#186179693] Co-authored-by: Alicia Yingling <alicia.yingling@broadcom.com>
|
@peterhaochen47 is there a plan, when you will release v77 ? |
|
@strehle, on our side, the only outstanding item is the MFA feature removal, which is underway (ETA = a few days). Your colleagues said in our last OSS sync that your team had no outstanding item for v77 but was also not in urgent need to release, is that accurate? |
No urgency, correct but after 3 weeks now I simply would think about a release simply that we have CI into cf-deployment |
peterhaochen47
added a commit
to cloudfoundry/uaa
that referenced
this issue
Feb 6, 2024
- Context about its deprecation:
- This feature is under-utilized, and requires further
maintenance for which our team lacks the resource. (For
example, this feature is potentially vulnerable because
a secure Content-Security-Policy cannot be applied to its
pages without breaking them.) The feature has also been
marked as "not ready for production" for a few years now.
So we opt to remove the feature and instead recommend
using the external IDPs's own MFA features. See more context
in #2196.
- This commit removes all MFA-specific codes, except for
the following, on which we will make follow-up commits:
- README's deprecation notice
- database operations
- Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29)
- breaking changes planning: cloudfoundry/uaa-release#739
- Further notes about specific changes in tests:
- For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion
on response code is changed from 401 to 403. This is because 403 was the original
asserted value before MFA was added (see: 92abee6).
The 403 response also makes sense in the context of the test (authentication
present but has insufficient access).
[#186854489]
peterhaochen47
added a commit
that referenced
this issue
Feb 7, 2024
- the MFA feature has long been deprecated and will soon be removed in the next release, see: cloudfoundry/uaa#2717 - see breaking change planning: #739 [#186854489]
peterhaochen47
added a commit
that referenced
this issue
Feb 7, 2024
- the MFA feature has long been deprecated and will soon be removed in the next release, see: cloudfoundry/uaa#2717 - see breaking change planning: #739 [#186854489]
peterhaochen47
added a commit
to cloudfoundry/uaa
that referenced
this issue
Feb 7, 2024
- Context about its deprecation:
- This feature is under-utilized, and requires further
maintenance for which our team lacks the resource. (For
example, this feature is potentially vulnerable because
a secure Content-Security-Policy cannot be applied to its
pages without breaking them.) The feature has also been
marked as "not ready for production" for a few years now.
So we opt to remove the feature and instead recommend
using the external IDPs's own MFA features. See more context
in #2196.
- This commit removes all MFA-specific codes, except for
the following, on which we will make follow-up commits:
- README's deprecation notice
- database operations
- Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29)
- breaking changes planning: cloudfoundry/uaa-release#739
- Further notes about specific changes in tests:
- For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion
on response code is changed from 401 to 403. This is because 403 was the original
asserted value before MFA was added (see: 92abee6).
The 403 response also makes sense in the context of the test (authentication
present but has insufficient access).
[#186854489]
peterhaochen47
added a commit
to cloudfoundry/uaa
that referenced
this issue
Feb 8, 2024
- Context about its deprecation:
- This feature is under-utilized, and requires further
maintenance for which our team lacks the resource. (For
example, this feature is potentially vulnerable because
a secure Content-Security-Policy cannot be applied to its
pages without breaking them.) The feature has also been
marked as "not ready for production" for a few years now.
So we opt to remove the feature and instead recommend
using the external IDPs's own MFA features. See more context
in #2196.
- This commit removes all MFA-specific codes, except for
the following, on which we will make follow-up commits:
- README's deprecation notice
- database operations
- Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29)
- breaking changes planning: cloudfoundry/uaa-release#739
- Further notes about specific changes in tests:
- For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion
on response code is changed from 401 to 403. This is because 403 was the original
asserted value before MFA was added (see: 92abee6).
The 403 response also makes sense in the context of the test (authentication
present but has insufficient access).
[#186854489]
peterhaochen47
added a commit
to cloudfoundry/uaa
that referenced
this issue
Feb 8, 2024
- Context about its deprecation:
- This feature is under-utilized, and requires further
maintenance for which our team lacks the resource. (For
example, this feature is potentially vulnerable because
a secure Content-Security-Policy cannot be applied to its
pages without breaking them.) The feature has also been
marked as "not ready for production" for a few years now.
So we opt to remove the feature and instead recommend
using the external IDPs's own MFA features. See more context
in #2196.
- This commit removes all MFA-specific codes, except for
the following, on which we will make follow-up commits:
- README's deprecation notice
- database operations
- Content-Security-Policy's exemption toward MFA endpoint (https://github.com/cloudfoundry/uaa/blob/72565fb56cd1f90af499119d32c891937f3c5a76/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/ContentSecurityPolicyFilter.java#L29)
- breaking changes planning: cloudfoundry/uaa-release#739
- Further notes about specific changes in tests:
- For PasscodeMockMvcTests.testLoginUsingPasscodeWithUnknownToken(), the assertion
on response code is changed from 401 to 403. This is because 403 was the original
asserted value before MFA was added (see: 92abee6).
The 403 response also makes sense in the context of the test (authentication
present but has insufficient access).
[#186854489]
peterhaochen47
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In consideration for v78
Done for v77
Other candidates
/check_tokenendpointjwttoopaque: Combination of the default values ofuaa.jwt.refresh.format(jwt) anduaa.jwt.revocable(false) results in spec-non-compliance #813The text was updated successfully, but these errors were encountered: