mahara-contributors team mailing list archive

Thread
Date

[Bug 1533377] Re: Remove Persona (browserid) auth plugin by Nov 2016, because Mozilla is ending Persona support

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1533377@xxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Jan 2016 21:54:06 -0000
Reply-to: Bug 1533377 <1533377@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Obviously we can just tell admins to switch Persona users to another
auth method, but that means the users will need a new password. And we
don't currently have a graceful way to prompt them for one in a
situation like this. The existing "force password change on next login"
functionality won't work, because it requires you to successfully log in
first, and once a user is switched away from the Persona auth method,
they will no longer be able to log in (particularly so once the Persona
service is shut down).

An ideal way to handle it might be:

1. Allow the Persona auth method to have a "parent" auth method.

2. Before the Nov 2016 shutdown, flag the Persona users so that after
their next successful Persona login, we tell them about the switch,
force them to enter a password for the new parent auth method (if it has
one), and then switch them over to the new auth method.

3. After the Nov 2016 shutdown, clicking on the "Persona" link in the
login box instead takes you to a screen that tells you about the switch,
and sends you to the "forgot password" page to reset the password for
your new auth method.

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1533377

Title:
Remove Persona (browserid) auth plugin by Nov 2016, because Mozilla is
ending Persona support

Status in Mahara:
Confirmed

Bug description:
Mozilla has recently announced that they're ending support for the
Persona authentication service, in November 2016.:
https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers

Mahara has long shipped with a Persona (formerly "Browserid") auth
plugin. We'll need to remove this plugin from the 16.10 release, and
come up with a way to help existing sites migrate their users away
from Persona.

We should also consider how to help out the stable release sites in
migrating users away from Persona. The Nov 2016 shutdown will be very
close to the 16.10 release date, so asking sites to upgrade to 16.10
to use any migration tool will be fairly demanding, particularly since
15.04 will still be covered by its extended support lifetime. So for
15.04, 15.10, and 16.04 sites, an optional Persona migration plugin is
probably the best option. That way the functionality will be available
to sites that need it, without shipping new features in minor
upgrades.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1533377/+subscriptions

References

[Bug 1533377] [NEW] Remove Persona (browserid) auth plugin by Nov 2016, because Mozilla is ending Persona support
From: Aaron Wells, 2016-01-12