From aa60c80c85aadcc252668f9a575eee6c8d8b60e3 Mon Sep 17 00:00:00 2001 From: Leonid Bugaev Date: Thu, 31 Oct 2024 18:00:06 +0300 Subject: [PATCH] Merging to release-5.3: [TT-11426/TT-13322]add deprecation notice for oidc middleware (#6686) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [TT-11426/TT-13322]add deprecation notice for oidc middleware (#6686) ### **User description**
TT-13322
Summary Add warning message in GW logs, schema and go docs
Type Sub-task Sub-task
Status In Dev
Points N/A
Labels QA_Fail
--- ## Description ## Related Issue Parent: https://tyktech.atlassian.net/browse/TT-11426 Subtask: https://tyktech.atlassian.net/browse/TT-13322 ## Motivation and Context ## How This Has Been Tested ## Screenshots (if appropriate) ## Types of changes - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] Refactoring or add test (improvements in base code or adds test coverage to functionality) ## Checklist - [ ] I ensured that the documentation is up to date - [ ] I explained why this PR updates go.mod in detail with reasoning why it's required - [ ] I would like a code coverage CI quality gate exception and have explained why ___ ### **PR Type** documentation, enhancement ___ ### **Description** - Added deprecation notices for OpenID Connect middleware and OIDC authentication mode in code comments and documentation. - Introduced log warnings in the OpenID middleware to inform users of the deprecation. - Recommended using JSON Web Token (JWT) as an alternative to avoid disruptions. ___ ### **Changes walkthrough** 📝
Relevant files
Documentation
api_definitions.go
Add deprecation notice for OpenID Connect middleware         
apidef/api_definitions.go
  • Added deprecation notice for OpenID Connect middleware.
  • Recommended using JSON Web Token (JWT) instead.
    		•  +3/-0     
    authentication.go
    Add deprecation notice for OIDC authentication mode           
    apidef/oas/authentication.go
  • Added deprecation notice for OIDC authentication mode.
  • Recommended using JSON Web Token (JWT) instead.
    		•  +3/-0     
    x-tyk-api-gateway.json
    Add deprecation notice for external OAuth Middleware         
    apidef/oas/schema/x-tyk-api-gateway.json
  • Added deprecation notice for external OAuth Middleware.
  • Recommended using JSON Web Token (JWT) instead.
    		•  +1/-0     
    Enhancement
    mw_openid.go
    Add log warning for deprecated OpenID Connect Middleware 
    gateway/mw_openid.go
  • Added log warning for deprecated OpenID Connect Middleware.
  • Recommended using JSON Web Token (JWT) instead.
    		•  +4/-0     
    ___ > 💡 **PR-Agent usage**: Comment `/help "your question"` on any pull request to receive relevant information --- apidef/api_definitions.go | 3 +++ apidef/oas/authentication.go | 3 +++ apidef/oas/schema/x-tyk-api-gateway.json | 1 + gateway/mw_openid.go | 4 ++++ 4 files changed, 11 insertions(+) diff --git a/apidef/api_definitions.go b/apidef/api_definitions.go index f7c4248268c..b3dbc1601df 100644 --- a/apidef/api_definitions.go +++ b/apidef/api_definitions.go @@ -562,6 +562,9 @@ type OIDProviderConfig struct { ClientIDs map[string]string `bson:"client_ids" json:"client_ids"` } +// OpenID Connect middleware support will be deprecated starting from 5.7.0. +// To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead, +// as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/. type OpenIDOptions struct { Providers []OIDProviderConfig `bson:"providers" json:"providers"` SegregateByClient bool `bson:"segregate_by_client" json:"segregate_by_client"` diff --git a/apidef/oas/authentication.go b/apidef/oas/authentication.go index 98e0558cf3e..af70158b90f 100644 --- a/apidef/oas/authentication.go +++ b/apidef/oas/authentication.go @@ -495,6 +495,9 @@ func (h *HMAC) ExtractTo(api *apidef.APIDefinition) { } // OIDC contains configuration for the OIDC authentication mode. +// OIDC support will be deprecated starting from 5.7.0. +// To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead, +// as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/. type OIDC struct { // Enabled activates the OIDC authentication mode. // diff --git a/apidef/oas/schema/x-tyk-api-gateway.json b/apidef/oas/schema/x-tyk-api-gateway.json index f51dbfb7fb1..2c7f5ae314c 100644 --- a/apidef/oas/schema/x-tyk-api-gateway.json +++ b/apidef/oas/schema/x-tyk-api-gateway.json @@ -1084,6 +1084,7 @@ }, "X-Tyk-OIDC": { "type": "object", + "description": "Support for external OAuth Middleware will be deprecated starting from 5.7.0. To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead, as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/", "properties": { "enabled": { "type": "boolean" diff --git a/gateway/mw_openid.go b/gateway/mw_openid.go index 40c08949297..de936f92d67 100644 --- a/gateway/mw_openid.go +++ b/gateway/mw_openid.go @@ -31,6 +31,10 @@ func (k *OpenIDMW) Name() string { } func (k *OpenIDMW) EnabledForSpec() bool { + if k.Spec.UseOpenID { + log.Warn("Support for OpenID Connect Middleware will be deprecated starting from 5.7.0. To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead, as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/") + } + return k.Spec.UseOpenID }