Remove Persona (browserid) auth plugin by Nov 2016, because Mozilla is ending Persona support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Aaron Wells | ||
15.04 |
Fix Released
|
Medium
|
Unassigned | ||
15.10 |
Fix Released
|
Medium
|
Unassigned | ||
16.04 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Mozilla has recently announced that they're ending support for the Persona authentication service, in November 2016.: https:/
Mahara has long shipped with a Persona (formerly "Browserid") auth plugin. We'll need to remove this plugin from the 16.10 release, and come up with a way to help existing sites migrate their users away from Persona.
We should also consider how to help out the stable release sites in migrating users away from Persona. The Nov 2016 shutdown will be very close to the 16.10 release date, so asking sites to upgrade to 16.10 to use any migration tool will be fairly demanding, particularly since 15.04 will still be covered by its extended support lifetime. So for 15.04, 15.10, and 16.04 sites, an optional Persona migration plugin is probably the best option. That way the functionality will be available to sites that need it, without shipping new features in minor upgrades.
summary: |
- Remove Persona (browserid) auth plugin, because Mozilla is ending - Persona support + Remove Persona (browserid) auth plugin by Nov 2016, because Mozilla is + ending Persona support |
Changed in mahara: | |
status: | Confirmed → In Progress |
assignee: | nobody → Aaron Wells (u-aaronw) |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Obviously we can just tell admins to switch Persona users to another auth method, but that means the users will need a new password. And we don't currently have a graceful way to prompt them for one in a situation like this. The existing "force password change on next login" functionality won't work, because it requires you to successfully log in first, and once a user is switched away from the Persona auth method, they will no longer be able to log in (particularly so once the Persona service is shut down).
An ideal way to handle it might be:
1. Allow the Persona auth method to have a "parent" auth method.
2. Before the Nov 2016 shutdown, flag the Persona users so that after their next successful Persona login, we tell them about the switch, force them to enter a password for the new parent auth method (if it has one), and then switch them over to the new auth method.
3. After the Nov 2016 shutdown, clicking on the "Persona" link in the login box instead takes you to a screen that tells you about the switch, and sends you to the "forgot password" page to reset the password for your new auth method.