Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merging to release-5.3: [TT-11426/TT-13322]add deprecation notice for oidc middleware (#6686) #6687

Merged

Conversation

buger
Copy link
Member

@buger buger commented Oct 31, 2024

User description

[TT-11426/TT-13322]add deprecation notice for oidc middleware (#6686)

User description

TT-13322
Summary Add warning message in GW logs, schema and go docs
Type Sub-task Sub-task
Status In Dev
Points N/A
Labels QA_Fail

Description

Related Issue

Parent: https://tyktech.atlassian.net/browse/TT-11426
Subtask: https://tyktech.atlassian.net/browse/TT-13322

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing
    functionality to change)
  • Refactoring or add test (improvements in base code or adds test
    coverage to functionality)

Checklist

  • I ensured that the documentation is up to date
  • I explained why this PR updates go.mod in detail with reasoning
    why it's required
  • I would like a code coverage CI quality gate exception and have
    explained why

PR Type

documentation, enhancement


Description

  • Added deprecation notices for OpenID Connect middleware and OIDC
    authentication mode in code comments and documentation.
  • Introduced log warnings in the OpenID middleware to inform users of
    the deprecation.
  • Recommended using JSON Web Token (JWT) as an alternative to avoid
    disruptions.

Changes walkthrough 📝

Relevant files
Documentation
api_definitions.go
Add deprecation notice for OpenID Connect middleware         

apidef/api_definitions.go

  • Added deprecation notice for OpenID Connect middleware.
  • Recommended using JSON Web Token (JWT) instead.
  • +3/-0     
    authentication.go
    Add deprecation notice for OIDC authentication mode           

    apidef/oas/authentication.go

  • Added deprecation notice for OIDC authentication mode.
  • Recommended using JSON Web Token (JWT) instead.
  • +3/-0     
    x-tyk-api-gateway.json
    Add deprecation notice for external OAuth Middleware         

    apidef/oas/schema/x-tyk-api-gateway.json

  • Added deprecation notice for external OAuth Middleware.
  • Recommended using JSON Web Token (JWT) instead.
  • +1/-0     
    Enhancement
    mw_openid.go
    Add log warning for deprecated OpenID Connect Middleware 

    gateway/mw_openid.go

  • Added log warning for deprecated OpenID Connect Middleware.
  • Recommended using JSON Web Token (JWT) instead.
  • +4/-0     

    💡 PR-Agent usage: Comment /help "your question" on any pull
    request to receive relevant information


    PR Type

    Documentation, Enhancement


    Description

    • Added deprecation notices for OpenID Connect middleware and OIDC authentication mode in code comments and documentation.
    • Introduced log warnings in the OpenID middleware to inform users of the deprecation.
    • Recommended using JSON Web Token (JWT) as an alternative to avoid disruptions.

    Changes walkthrough 📝

    Relevant files
    Documentation
    api_definitions.go
    Add deprecation notice for OpenID Connect middleware         

    apidef/api_definitions.go

  • Added deprecation notice for OpenID Connect middleware.
  • Recommended using JSON Web Token (JWT) instead.
  • +3/-0     
    authentication.go
    Add deprecation notice for OIDC authentication mode           

    apidef/oas/authentication.go

  • Added deprecation notice for OIDC authentication mode.
  • Recommended using JSON Web Token (JWT) instead.
  • +3/-0     
    x-tyk-api-gateway.json
    Add deprecation notice for external OAuth Middleware         

    apidef/oas/schema/x-tyk-api-gateway.json

  • Added deprecation notice for external OAuth Middleware.
  • Recommended using JSON Web Token (JWT) instead.
  • +1/-0     
    Enhancement
    mw_openid.go
    Add log warning for deprecated OpenID Connect Middleware 

    gateway/mw_openid.go

  • Added log warning for deprecated OpenID Connect Middleware.
  • Recommended using JSON Web Token (JWT) instead.
  • +4/-0     

    💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

    @buger buger enabled auto-merge (squash) October 31, 2024 14:09
    Copy link
    Contributor

    github-actions bot commented Oct 31, 2024

    API Changes

    --- prev.txt	2024-10-31 14:27:41.398260857 +0000
    +++ current.txt	2024-10-31 14:27:38.490272916 +0000
    @@ -1593,6 +1593,10 @@
     	Providers         []OIDProviderConfig `bson:"providers" json:"providers"`
     	SegregateByClient bool                `bson:"segregate_by_client" json:"segregate_by_client"`
     }
    +    OpenID Connect middleware support will be deprecated
    +    starting from 5.7.0. To avoid any disruptions, we recommend
    +    that you use JSON Web Token (JWT) instead, as explained in
    +    https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/.
     
     type PersistGraphQLMeta struct {
     	Path      string                 `bson:"path" json:"path"`
    @@ -3485,7 +3489,10 @@
     	// Scopes contains the defined scope claims.
     	Scopes *Scopes `bson:"scopes,omitempty" json:"scopes,omitempty"`
     }
    -    OIDC contains configuration for the OIDC authentication mode.
    +    OIDC contains configuration for the OIDC authentication mode. OIDC
    +    support will be deprecated starting from 5.7.0. To avoid any disruptions,
    +    we recommend that you use JSON Web Token (JWT) instead, as explained in
    +    https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/.
     
     func (o *OIDC) ExtractTo(api *apidef.APIDefinition)
         ExtractTo extracts *OIDC to *apidef.APIDefinition.

    Copy link
    Contributor

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    🎫 Ticket compliance analysis ✅

    6686 - Fully compliant

    Fully compliant requirements:

    • Add warning message in GW logs, schema, and go docs for deprecating OIDC middleware.
    • Recommend using JSON Web Token (JWT) as an alternative.
    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 No security concerns identified
    ⚡ Recommended focus areas for review

    Deprecation Notice
    Ensure the deprecation notice for OpenID Connect middleware is clear and provides all necessary information for migration to JWT.

    Deprecation Notice
    Verify the deprecation notice for OIDC authentication mode is accurate and guides users effectively towards using JWT.

    Log Warning
    Check the log warning for deprecated OpenID Connect Middleware to ensure it's triggered under the correct conditions and is informative.

    Schema Update
    Confirm the schema update includes a clear deprecation notice for external OAuth Middleware and directs users appropriately to JWT.

    Copy link
    Contributor

    PR Code Suggestions ✨

    Explore these optional code suggestions:

    CategorySuggestion                                                                                                                                    Score
    Possible issue
    Add a return statement to halt further execution after a deprecation warning if OpenID Connect Middleware is enabled

    Consider adding a return statement after logging the deprecation warning to prevent
    further execution when OpenID Connect Middleware is enabled.

    gateway/mw_openid.go [34-36]

     if k.Spec.UseOpenID {
         log.Warn("Support for OpenID Connect Middleware will be deprecated starting from 5.7.0. To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead, as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/")
    +    return false
     }
    Suggestion importance[1-10]: 8

    Why: The suggestion to add a return statement after logging the deprecation warning is valid and impactful. It prevents further execution when OpenID Connect Middleware is enabled, aligning with the deprecation notice and encouraging users to switch to JWT, thus avoiding potential issues with deprecated functionality.

    8

    ### **User description**
    <details open>
    <summary><a href="https://tyktech.atlassian.net/browse/TT-13322"
    title="TT-13322" target="_blank">TT-13322</a></summary>
      <br />
      <table>
        <tr>
          <th>Summary</th>
          <td>Add warning message in GW logs, schema and go docs</td>
        </tr>
        <tr>
          <th>Type</th>
          <td>
    <img alt="Sub-task"
    src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10316?size=medium"
    />
            Sub-task
          </td>
        </tr>
        <tr>
          <th>Status</th>
          <td>In Dev</td>
        </tr>
        <tr>
          <th>Points</th>
          <td>N/A</td>
        </tr>
        <tr>
          <th>Labels</th>
    <td><a
    href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20QA_Fail%20ORDER%20BY%20created%20DESC"
    title="QA_Fail">QA_Fail</a></td>
        </tr>
      </table>
    </details>
    <!--
      do not remove this marker as it will break jira-lint's functionality.
      added_by_jira_lint
    -->
    
    ---
    
    <!-- Provide a general summary of your changes in the Title above -->
    
    ## Description
    
    <!-- Describe your changes in detail -->
    
    ## Related Issue
    Parent: https://tyktech.atlassian.net/browse/TT-11426
    Subtask: https://tyktech.atlassian.net/browse/TT-13322
    
    ## Motivation and Context
    
    <!-- Why is this change required? What problem does it solve? -->
    
    ## How This Has Been Tested
    
    <!-- Please describe in detail how you tested your changes -->
    <!-- Include details of your testing environment, and the tests -->
    <!-- you ran to see how your change affects other areas of the code,
    etc. -->
    <!-- This information is helpful for reviewers and QA. -->
    
    ## Screenshots (if appropriate)
    
    ## Types of changes
    
    <!-- What types of changes does your code introduce? Put an `x` in all
    the boxes that apply: -->
    
    - [ ] Bug fix (non-breaking change which fixes an issue)
    - [ ] New feature (non-breaking change which adds functionality)
    - [ ] Breaking change (fix or feature that would cause existing
    functionality to change)
    - [ ] Refactoring or add test (improvements in base code or adds test
    coverage to functionality)
    
    ## Checklist
    
    <!-- Go over all the following points, and put an `x` in all the boxes
    that apply -->
    <!-- If there are no documentation updates required, mark the item as
    checked. -->
    <!-- Raise up any additional concerns not covered by the checklist. -->
    
    - [ ] I ensured that the documentation is up to date
    - [ ] I explained why this PR updates go.mod in detail with reasoning
    why it's required
    - [ ] I would like a code coverage CI quality gate exception and have
    explained why
    
    
    ___
    
    ### **PR Type**
    documentation, enhancement
    
    
    ___
    
    ### **Description**
    - Added deprecation notices for OpenID Connect middleware and OIDC
    authentication mode in code comments and documentation.
    - Introduced log warnings in the OpenID middleware to inform users of
    the deprecation.
    - Recommended using JSON Web Token (JWT) as an alternative to avoid
    disruptions.
    
    
    
    ___
    
    
    
    ### **Changes walkthrough** 📝
    <table><thead><tr><th></th><th align="left">Relevant
    files</th></tr></thead><tbody><tr><td><strong>Documentation</strong></td><td><table>
    <tr>
      <td>
        <details>
    <summary><strong>api_definitions.go</strong><dd><code>Add deprecation
    notice for OpenID Connect middleware</code>&nbsp; &nbsp; &nbsp; &nbsp;
    &nbsp; </dd></summary>
    <hr>
    
    apidef/api_definitions.go
    
    <li>Added deprecation notice for OpenID Connect middleware.<br> <li>
    Recommended using JSON Web Token (JWT) instead.<br>
    
    
    </details>
    
    
      </td>
    <td><a
    href="https://github.com/TykTechnologies/tyk/pull/6686/files#diff-9961ccc89a48d32db5b47ba3006315ef52f6e5007fb4b09f8c5d6d299c669d67">+3/-0</a>&nbsp;
    &nbsp; &nbsp; </td>
    
    </tr>                    
    
    <tr>
      <td>
        <details>
    <summary><strong>authentication.go</strong><dd><code>Add deprecation
    notice for OIDC authentication mode</code>&nbsp; &nbsp; &nbsp; &nbsp;
    &nbsp; &nbsp; </dd></summary>
    <hr>
    
    apidef/oas/authentication.go
    
    <li>Added deprecation notice for OIDC authentication mode.<br> <li>
    Recommended using JSON Web Token (JWT) instead.<br>
    
    
    </details>
    
    
      </td>
    <td><a
    href="https://github.com/TykTechnologies/tyk/pull/6686/files#diff-e51c9d24d4235e7cc53048cc1d92967d177585ba5e073f14876308a97bef6326">+3/-0</a>&nbsp;
    &nbsp; &nbsp; </td>
    
    </tr>                    
    
    <tr>
      <td>
        <details>
    <summary><strong>x-tyk-api-gateway.json</strong><dd><code>Add
    deprecation notice for external OAuth Middleware</code>&nbsp; &nbsp;
    &nbsp; &nbsp; &nbsp; </dd></summary>
    <hr>
    
    apidef/oas/schema/x-tyk-api-gateway.json
    
    <li>Added deprecation notice for external OAuth Middleware.<br> <li>
    Recommended using JSON Web Token (JWT) instead.<br>
    
    
    </details>
    
    
      </td>
    <td><a
    href="https://github.com/TykTechnologies/tyk/pull/6686/files#diff-78828969c0c04cc1a776dfc93a8bad3c499a8c83e6169f83e96d090bed3e7dd0">+1/-0</a>&nbsp;
    &nbsp; &nbsp; </td>
    
    </tr>                    
    </table></td></tr><tr><td><strong>Enhancement</strong></td><td><table>
    <tr>
      <td>
        <details>
    <summary><strong>mw_openid.go</strong><dd><code>Add log warning for
    deprecated OpenID Connect Middleware</code>&nbsp; </dd></summary>
    <hr>
    
    gateway/mw_openid.go
    
    <li>Added log warning for deprecated OpenID Connect Middleware.<br> <li>
    Recommended using JSON Web Token (JWT) instead.<br>
    
    
    </details>
    
    
      </td>
    <td><a
    href="https://github.com/TykTechnologies/tyk/pull/6686/files#diff-a389c2a490b728d3bf6ed64f974b227117fb451aa2da8ce8df8c859e7cdc718a">+4/-0</a>&nbsp;
    &nbsp; &nbsp; </td>
    
    </tr>                    
    </table></td></tr></tr></tbody></table>
    
    ___
    
    > 💡 **PR-Agent usage**: Comment `/help "your question"` on any pull
    request to receive relevant information
    
    (cherry picked from commit 3633678)
    @jeffy-mathew jeffy-mathew force-pushed the merge/release-5.3/36336784dbbea4f2370bac0f12b1db816daea731 branch from 0b7db2f to 4066ce7 Compare October 31, 2024 14:27
    Copy link

    Quality Gate Failed Quality Gate failed

    Failed conditions
    50.0% Coverage on New Code (required ≥ 80%)
    C Reliability Rating on New Code (required ≥ A)

    See analysis details on SonarCloud

    Catch issues before they fail your Quality Gate with our IDE extension SonarLint

    @buger buger merged commit aa60c80 into release-5.3 Oct 31, 2024
    32 of 39 checks passed
    @buger buger deleted the merge/release-5.3/36336784dbbea4f2370bac0f12b1db816daea731 branch October 31, 2024 15:00
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Projects
    None yet
    Development

    Successfully merging this pull request may close these issues.

    2 participants