Remove Persona (browserid) auth plugin by Nov 2016, because Mozilla is ending Persona support

Bug #1533377 reported by Aaron Wells on 2016-01-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Aaron Wells
15.04
Medium
Unassigned
15.10
Medium
Unassigned
16.04
Medium
Unassigned

Bug Description

Mozilla has recently announced that they're ending support for the Persona authentication service, in November 2016.: https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers

Mahara has long shipped with a Persona (formerly "Browserid") auth plugin. We'll need to remove this plugin from the 16.10 release, and come up with a way to help existing sites migrate their users away from Persona.

We should also consider how to help out the stable release sites in migrating users away from Persona. The Nov 2016 shutdown will be very close to the 16.10 release date, so asking sites to upgrade to 16.10 to use any migration tool will be fairly demanding, particularly since 15.04 will still be covered by its extended support lifetime. So for 15.04, 15.10, and 16.04 sites, an optional Persona migration plugin is probably the best option. That way the functionality will be available to sites that need it, without shipping new features in minor upgrades.

Aaron Wells (u-aaronw) on 2016-01-12
summary: - Remove Persona (browserid) auth plugin, because Mozilla is ending
- Persona support
+ Remove Persona (browserid) auth plugin by Nov 2016, because Mozilla is
+ ending Persona support
Aaron Wells (u-aaronw) wrote :

Obviously we can just tell admins to switch Persona users to another auth method, but that means the users will need a new password. And we don't currently have a graceful way to prompt them for one in a situation like this. The existing "force password change on next login" functionality won't work, because it requires you to successfully log in first, and once a user is switched away from the Persona auth method, they will no longer be able to log in (particularly so once the Persona service is shut down).

An ideal way to handle it might be:

1. Allow the Persona auth method to have a "parent" auth method.

2. Before the Nov 2016 shutdown, flag the Persona users so that after their next successful Persona login, we tell them about the switch, force them to enter a password for the new parent auth method (if it has one), and then switch them over to the new auth method.

3. After the Nov 2016 shutdown, clicking on the "Persona" link in the login box instead takes you to a screen that tells you about the switch, and sends you to the "forgot password" page to reset the password for your new auth method.

Aaron Wells (u-aaronw) wrote :

Setting this to "Medium" priority for now, because it doesn't need to be tackled until the 16.10 release.

Changed in mahara:
milestone: none → 16.10.0
status: New → Confirmed

We already have the mechanism that when you remove a user with external auth to "No institution", they do get an email with their internal Mahara username and a link to reset their password. If we extended that to work for any auth change away from the external auth no matter whether you are being removed from the institution or not might work better and be more generic.

We decided in the 50th developer meeting (http://meetbot.mahara.org/mahara-dev/2016/mahara-dev.2016-02-02-07.34.log.html#l-350 ) to wait a couple of months to see if there are any others progressing with solutions. In the meantime, we are going to disable Persona auth per default in 16.04. See bug #1541173.

Aaron Wells (u-aaronw) wrote :

It looks like PassportJS is actually a general-purpose authentication middleware library, implemented in NodeJS. Much like Mahara's Auth plugin system, PassportJS lets you install plugins (called "strategies") to authentication with different sources that might be a specific site like Facebook, or a generic protocol like SAML; and then the NodeJS application developer can authenticate using a simple and consistent PassportJS API instead of having to write a specific handler for that auth method.

Unfortunately, it's not directly applicable to us in Mahara, because it's written in NodeJS not PHP. We do use NodeJS for compiling our CSS now (via gulp), but that's command-line Node scripts only during the build stage, whereas this is using Node as part of your web application.

Also unfortunately, because PassportJS is so flexible, it doesn't tell us much about what specific authentication providers they're going to replace Persona with, or how they're going to go about migrating users to them. But maybe we'll see some specifics on that if we keep watching.

Aaron Wells (u-aaronw) wrote :

Okay, it's coming up on the 16.10 release, and it looks like no particular service is taking over for Mozilla Persona, so we'll need to go ahead with our plans to decommission the plugin. I think probably the best use of our current resources is to do a minimal implementation that moves all the users over to Internal auth. It would look something like this:

1. On the Browserid extension config page, we add a button that initiates the migration

2. It deletes any browserid auth instances that have no users.

3. For the other browserid auth instances, it sets the "no current password" flag on their user record (which is '*' in the usr.password and usr.salt fields), and reassigns them to their institution's internal auth instance. If their institution doesn't have an internal auth instance, it creates one.

These users can then use the "Forgot password" page to request a new internal auth password. The site admin can instruct them to do this by manually sending out an email or updating the logged-out homepage.

Or I guess an even more minimal implementation would be to just tell affected site admins to migrate the users to a different auth instance manually.

Reviewed: https://reviews.mahara.org/7045
Committed: https://git.mahara.org/mahara/mahara/commit/cfef0ff90ec3d8ef2fb714e4c0b649bd72255589
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit cfef0ff90ec3d8ef2fb714e4c0b649bd72255589
Author: Aaron Wells <email address hidden>
Date: Tue Sep 27 01:47:03 2016 +1300

Bug 1533377: Browserid end-of-life migration script

This patch removes all authentication functionality
from the browserid auth plugin. It adds a script,
accessible through the plugin's configuration page,
to migrate user accounts from browserid to
internal auth.

Also includes changes to allow users to be searched
by authtype, and to prevent non-useable plugins
from being enabled on the plugin config page.

Change-Id: I4e8bd9fc4d2fb2ccaa1845fda533c9373ec251bd
behatnotneeded: Can't test with behat

Aaron Wells (u-aaronw) on 2016-09-27
Changed in mahara:
status: Confirmed → In Progress
assignee: nobody → Aaron Wells (u-aaronw)

Reviewed: https://reviews.mahara.org/7048
Committed: https://git.mahara.org/mahara/mahara/commit/8ffe7776e9c6f0572203ca1d68294be4cabf276e
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 8ffe7776e9c6f0572203ca1d68294be4cabf276e
Author: Aaron Wells <email address hidden>
Date: Tue Sep 27 01:47:03 2016 +1300

Bug 1533377: Browserid end-of-life migration script

This patch removes all authentication functionality
from the browserid auth plugin. It adds a script,
accessible through the plugin's configuration page,
to migrate user accounts from browserid to
internal auth.

Also includes changes to allow users to be searched
by authtype, and to prevent non-useable plugins
from being enabled on the plugin config page.

Change-Id: I4e8bd9fc4d2fb2ccaa1845fda533c9373ec251bd
behatnotneeded: Can't test with behat
(cherry picked from commit cfef0ff90ec3d8ef2fb714e4c0b649bd72255589)

This functionality will need to be backported to the older versions of Mahara. If this is too big a change to include in a minor point release, we should provide the patches as people on supported versions would need to move away from Persona as well.

Changed in mahara:
status: In Progress → Fix Committed
Mahara Bot (dev-mahara) wrote :

Patch for "15.10_STABLE" branch: https://reviews.mahara.org/7178

Mahara Bot (dev-mahara) wrote :

Patch for "16.04_STABLE" branch: https://reviews.mahara.org/7179

Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
status: Fix Committed → Fix Released

Reviewed: https://reviews.mahara.org/7178
Committed: https://git.mahara.org/mahara/mahara/commit/65261b076046d8ebb32f8b7923ece473a0686f9a
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit 65261b076046d8ebb32f8b7923ece473a0686f9a
Author: Aaron Wells <email address hidden>
Date: Tue Sep 27 01:47:03 2016 +1300

Bug 1533377: Browserid end-of-life migration script

This patch removes all authentication functionality
from the browserid auth plugin. It adds a script,
accessible through the plugin's configuration page,
to migrate user accounts from browserid to
internal auth.

Also includes changes to allow users to be searched
by authtype, and to prevent non-useable plugins
from being enabled on the plugin config page.

Change-Id: I4e8bd9fc4d2fb2ccaa1845fda533c9373ec251bd
behatnotneeded: Can't test with behat
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/7177
Committed: https://git.mahara.org/mahara/mahara/commit/921bfa492962483264ebc5e4b993026f8750d7a8
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 921bfa492962483264ebc5e4b993026f8750d7a8
Author: Aaron Wells <email address hidden>
Date: Tue Sep 27 01:47:03 2016 +1300

Bug 1533377: Browserid end-of-life migration script

This patch removes all authentication functionality
from the browserid auth plugin. It adds a script,
accessible through the plugin's configuration page,
to migrate user accounts from browserid to
internal auth.

Also includes changes to allow users to be searched
by authtype, and to prevent non-useable plugins
from being enabled on the plugin config page.

Change-Id: I4e8bd9fc4d2fb2ccaa1845fda533c9373ec251bd
behatnotneeded: Can't test with behat
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/7179
Committed: https://git.mahara.org/mahara/mahara/commit/33275769e252a3113ce603427286d01ff0de9858
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 33275769e252a3113ce603427286d01ff0de9858
Author: Aaron Wells <email address hidden>
Date: Tue Sep 27 01:47:03 2016 +1300

Bug 1533377: Browserid end-of-life migration script

This patch removes all authentication functionality
from the browserid auth plugin. It adds a script,
accessible through the plugin's configuration page,
to migrate user accounts from browserid to
internal auth.

Also includes changes to allow users to be searched
by authtype, and to prevent non-useable plugins
from being enabled on the plugin config page.

Change-Id: I4e8bd9fc4d2fb2ccaa1845fda533c9373ec251bd
behatnotneeded: Can't test with behat

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers