Make the studio login over the lms optional using a feature flag #19845
Conversation
|
Thanks for the pull request, @felipemontoya! I've created OSPR-3103 to keep track of it in JIRA. JIRA is a place for product owners to prioritize feature reviews by the engineering development teams. Feel free to add as much of the following information to the ticket:
All technical communication about the code itself will still be done via the GitHub pull request interface. As a reminder, our process documentation is here. |
openedx-webhooks
added
needs triage
open-source-contribution
cms/envs/production.py
Outdated
| CAS_ATTRIBUTE_CALLBACK['function'] | ||
| ) | ||
|
|
||
| # Login using the LMS as the identity provider |
There was a problem hiding this comment.
Need to update this comment to say "Do NOT login using the LMS as an Identity Provider if disabled".
cms/templates/widgets/header.html
Outdated
| login_url = '{lms_root_url}/login?next={next_url}'.format( | ||
| lms_root_url=settings.LMS_ROOT_URL, | ||
| next_url=current_url, | ||
| ) |
There was a problem hiding this comment.
Can we consolidate the use of DISABLE_STUDIO_SSO_OVER_LMS to only the settings file? So it's logic isn't spread throughout these other .html files? As a concrete suggestion:
-
Add new settings in production.py for
FRONTEND_LOGIN_URLandFRONTEND_LOGOUT_URL. -
When
DISABLE_STUDIO_SSO_OVER_LMSisTrue- Set
FRONTEND_LOGIN_URLtoLOGIN_URL - Set
FRONTEND_LOGOUT_URLtoEDX_ROOT_URL + '/signout'
- Set
-
When
DISABLE_STUDIO_SSO_OVER_LMSisFalse- Set
FRONTEND_LOGIN_URLtoLMS_ROOT_URL+ '/login'` - Set
FRONTEND_LOGOUT_URLto LMS_ROOT_URL+ '/logout'
- Set
-
Update these
.htmlfiles to always append?next={next_url}regardless of theDISABLE_STUDIO_SSO_OVER_LMSvalue. I believe the old Studio endpoints will just ignore thenextparameter.
|
@felipemontoya Thank you for your contribution. Can you let me know once you have addressed requests from @nasthagiri ? |
openedx-webhooks
added
waiting on author
felipemontoya
force-pushed
the
fmo/studio_sso_over_lms_flag
branch
from
4155e6e to
031cb45
Compare
|
Hey @nasthagiri sorry It took me long to address the feedback. I created a devstack for this on my home computer and only today I stayed to work from home again. I did all the logic on the settings modules this time. Not only on production.py since the base existence of the keys is something that should live in common.py in case some other module is not inheriting from production. I did have to change something else on the LogoutView. See the inline comment |
There was a problem hiding this comment.
This logic of looking at oauth_client_ids, I brought it back from Hawthorn. Without it, what happens is that studio will try to render a page that inherits from "main_django.html" and that template only exists in the LMS.
Now, I could also change the logic to make the if exclusively targeting studio and not all the cases where there are no oauth_clients. If that was the case, should I check for SERVICE_VARIANT == 'cms' or is there a preferred way of doing this?
There was a problem hiding this comment.
The rendered page is a harmless, but ugly looking bug in the master version. You can see what I mean if you go to https://studio.edx.org/logout (even without a valid session)
There was a problem hiding this comment.
Also this part here is what is breaking the tests because they are expecting a 200 http status, but they get a redirect 302. I'll fix the tests once I have a clear indication about what I should do in this case
There was a problem hiding this comment.
I believe @pwnage101 and @doctoryes had reasons to remove this code as part of supporting SSO via DOT (rather than DOP).
@felipemontoya Can you put this logic behind the DISABLE_STUDIO_SSO_OVER_LMS feature toggle? When Studio redirects to the LMS for both login/logout, then Studio's own logout page should never be rendered and the ugly page you point out should not appear. Eventually, we will want to remove the old studio login/logout code entirely, including this now-ugly logout page.
There was a problem hiding this comment.
This makes sense to me. I just made the necessary changes.
I also rebased on top of master to have a more up-to-date PR
felipemontoya
force-pushed
the
fmo/studio_sso_over_lms_flag
branch
from
031cb45 to
d585438
Compare
nasthagiri
left a comment
nasthagiri
left a comment
There was a problem hiding this comment.
Looks good to me! Just one request to keep the oauth_client changes behind the feature toggle. Thanks Felipe.
There was a problem hiding this comment.
I believe @pwnage101 and @doctoryes had reasons to remove this code as part of supporting SSO via DOT (rather than DOP).
@felipemontoya Can you put this logic behind the DISABLE_STUDIO_SSO_OVER_LMS feature toggle? When Studio redirects to the LMS for both login/logout, then Studio's own logout page should never be rendered and the ugly page you point out should not appear. Eventually, we will want to remove the old studio login/logout code entirely, including this now-ugly logout page.
felipemontoya
force-pushed
the
fmo/studio_sso_over_lms_flag
branch
from
d585438 to
947fe19
Compare
felipemontoya
force-pushed
the
fmo/studio_sso_over_lms_flag
branch
from
947fe19 to
9195ec9
Compare
|
My bad, I left a typo in. It is running tests again |
| if settings.FEATURES.get('DISABLE_STUDIO_SSO_OVER_LMS', False) and not self.oauth_client_ids: | ||
| response = redirect(self.target) | ||
| else: | ||
| response = super(LogoutView, self).dispatch(request, *args, **kwargs) |
There was a problem hiding this comment.
Unfortunately, emtiness of the self.oauth_client_ids list does not imply that the user is logged out of all IDAs. IDAs that were converted to use DOT (ecommerce and credentials, on master currently) currently do not get added to that list.
For logging out the user from those DOT-enabled IDAs, we always unconditionally log out the user from them. This is a stop-gap solution until we decide on a better/smarter DOT-specific solution.
nasthagiri
left a comment
nasthagiri
left a comment
There was a problem hiding this comment.
looks good to merge once tests pass
|
jenkins run python |
|
@nasthagiri I'm not quite sure on how to proceed. Lettuce tests are complaining about the absence of FRONTEND_LOGOUT_URL, but they are complaining when importing I suppose that setting a value for it in the lms.envs.common would fix it, but It does not seem to be correct to add it there if it is not ever needed at the lms. Should I add it to the LMS? or can anyone else look at this and let me know if I should use the |
|
@felipemontoya I do believe you are using
I am pinging @doctoryes who wrote the Thanks. |
|
@nasthagiri 's suggestions are 👍 . |
|
|
||
| # TODO (felipemontoya): This key is only needed during lettuce tests. | ||
| # To be removed during https://openedx.atlassian.net/browse/DEPR-19 | ||
| FRONTEND_LOGOUT_URL = LMS_ROOT_URL + '/logout' |
There was a problem hiding this comment.
Question: do the lettuce tests not pass with this living in cms/envs/test.py?
There was a problem hiding this comment.
Really good question. I did not know either, so I tried, and the answer is no (https://build.testeng.edx.org/job/edx-platform-lettuce-pipeline-pr/2264/console).
I'm returning to the working version
felipemontoya
force-pushed
the
fmo/studio_sso_over_lms_flag
branch
from
987bff1 to
923a917
Compare
|
Your PR has finished running tests. There were no failures. |
|
@felipemontoya 🎉 Your pull request was merged! Please take a moment to answer a two question survey so we can improve your experience in the future. |
|
EdX Release Notice: This PR has been deployed to the staging environment in preparation for a release to production on Monday, March 18, 2019. |
|
EdX Release Notice: This PR has been deployed to the production environment. |
|
@felipemontoya: We are looking to remove the old Studio login page and this feature flag. Do you now have a solution for the cookie sharing problem? Thank you. Also, can you tell me why |
|
Hello @robrap. I don't see this issue as we having a problem for the cookie sharing problem. I know exactly how to share the cookies between lms and cms. The thing there is that this forces a requirement on the possible domains where studio might be hosted in relation to the lms. Hosting studio and the lms as subdomains of the same domain and more specifically sharing the cookie using the SESSION_COOKIE_DOMAIN = '.yourdomain.com' has been the use case for the edx.org installation since the beginning but it is not a hard requirement for using studio until this comes into effect. If you want to move ahead with the deprecation, go for it, but make it super clear on the release notes that this is the requirement now so that people upgrading and installing for the first time are not tripping over this. Optionally I see 2 other paths going forward:
About the |
|
If I can add something to what @felipemontoya is saying is that for example here we use cours.edulib.org for the LMS and studio.edulib.org for the CMS. The authentication change that was made was not allowing us to connect directly to studio.edulib.org because we are behind two ELB and the FQDN were set at the ELB level (even if SSO was previously working when set to SESSION_COOKIE_DOMAIN = ".edulib.org"). Basically, it was not recognizing studio.edulib.org to be in the same domain as cours.edulib.org. Since many "existing" installations will have different requirement than edx.org, maybe these should also be taken into consideration moving forward and not force an architectural / infrastructure change on the part of the community. As I said previously in the thread in Slack, documentation is key here. |
|
@robrap This would be a good topic for https://discuss.openedx.org so that we can get more viewpoints and ideas. |
|
@felipemontoya @sambapete: Sharing the LMS login page better aligns with the other IDAs, it allows Studio to get all the SSO integrations supported by LMS, and it simplifies the security story for Open edX. I added notes to the upcoming Juniper release page that we can enhance as we learn more, including any future alternatives that are implemented. See https://openedx.atlassian.net/wiki/spaces/COMM/pages/940048716/Juniper |
|
If you want to continue discussion, maybe move to Discourse as @nedbat asked. Thanks. |
This completes the work started in https://github.com/edx/edx-platform/pull/19453 to use the LMS login and registration for Studio, rather than Studio providing its own implementation. LMS login/registration are being used for the following reasons: 1. LMS logistration properly handles all SSO integrations. 2. A single logistration is simpler to maintain and understand. 3. Allows Studio to work more like all other IDAs that use LMS logistration. The original switch to use LMS logistration for Studio also added the toggle `DISABLE_STUDIO_SSO_OVER_LMS` to provide the community some additional time for switching. This commit removes this toggle, which at this point means all deployments will use the LMS logistration. This change requires sharing cookies across LMS and Studio. Should that prove to be a problem for certain Open edX instances, there are discussions of possible alternative solutions. See https://github.com/edx/edx-platform/pull/19845#issuecomment-559154256 Detailed changes: * Fix some Studio links that still went to old Studio signin and signup. * Remove DISABLE_STUDIO_SSO_OVER_LMS feature toggle. * Remove old studio signin and signup pages and templates. * Fix url name "login", which had different meanings for Studio and LMS. * Use the following settings: LOGIN_URL, FRONTEND_LOGIN_URL, FRONTEND_LOGOUT_URL, and FRONTEND_REGISTER_URL. * Redirect /signin and /signup to the LMS logistration. * Add custom metric `uses_pattern_library`. * Add custom metric `student_activate_account`. * Add Django Settings to allow /signin, /signup, and /login_post to be disabled once ready. This work also relates to ARCH-218 and DEPR-6. ARCH-1253
openedx-webhooks
added
merged
and removed
waiting on author
11 participants
Description
This PR creates a new FEATURE flag
DISABLE_STUDIO_SSO_OVER_LMSthat defaults to False.When turned on, the flag will make studio behave with the old login flow. This means that it the button on the header will take users to
/signinwhere they can use the same user/pass they had before.Previous discussion
This PR comes as a follow up to the discussion on the Community Arch meeting where the point was raised that not every openedx installation can immediately change to the new operation under compatible domains with the LMS for cookie sharing.
Some related links:
https://openedx.atlassian.net/browse/ARCH-218
https://openedx.atlassian.net/browse/DEPR-6
Stakeholders
Sandbox (not installed yet)
LMS:
https://pr19845.sandbox.opencraft.hosting/Studio:
https://studio-pr19845.sandbox.opencraft.hosting/Settings