mahara-contributors team mailing list archive

Thread
Date

[Bug 1533377] Re: Remove Persona (browserid) auth plugin by Nov 2016, because Mozilla is ending Persona support

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1533377@xxxxxxxxxxxxxxxxxx>
Date: Mon, 08 Aug 2016 01:21:03 -0000
Reply-to: Bug 1533377 <1533377@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Okay, it's coming up on the 16.10 release, and it looks like no
particular service is taking over for Mozilla Persona, so we'll need to
go ahead with our plans to decommission the plugin. I think probably the
best use of our current resources is to do a minimal implementation that
moves all the users over to Internal auth. It would look something like
this:

1. On the Browserid extension config page, we add a button that
initiates the migration

2. It deletes any browserid auth instances that have no users.

3. For the other browserid auth instances, it sets the "no current
password" flag on their user record (which is '*' in the usr.password
and usr.salt fields), and reassigns them to their institution's internal
auth instance. If their institution doesn't have an internal auth
instance, it creates one.

These users can then use the "Forgot password" page to request a new
internal auth password. The site admin can instruct them to do this by
manually sending out an email or updating the logged-out homepage.

Or I guess an even more minimal implementation would be to just tell
affected site admins to migrate the users to a different auth instance
manually.

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1533377

Title:
Remove Persona (browserid) auth plugin by Nov 2016, because Mozilla is
ending Persona support

Status in Mahara:
Confirmed

Bug description:
Mozilla has recently announced that they're ending support for the
Persona authentication service, in November 2016.:
https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers

Mahara has long shipped with a Persona (formerly "Browserid") auth
plugin. We'll need to remove this plugin from the 16.10 release, and
come up with a way to help existing sites migrate their users away
from Persona.

We should also consider how to help out the stable release sites in
migrating users away from Persona. The Nov 2016 shutdown will be very
close to the 16.10 release date, so asking sites to upgrade to 16.10
to use any migration tool will be fairly demanding, particularly since
15.04 will still be covered by its extended support lifetime. So for
15.04, 15.10, and 16.04 sites, an optional Persona migration plugin is
probably the best option. That way the functionality will be available
to sites that need it, without shipping new features in minor
upgrades.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1533377/+subscriptions

References

[Bug 1533377] [NEW] Remove Persona (browserid) auth plugin by Nov 2016, because Mozilla is ending Persona support
From: Aaron Wells, 2016-01-12