UAA-Release v79+ Breaking Changes Planning

[peterhaochen47]

In consideration for v79

• remove support for HS256 JWT signing algorithm
• removal of already-deprecated SAML IDP configs:
  • config.socketFactoryClassName
  • config.samlConfig.certificate
  • config.samlConfig.privateKey
  • config.samlConfig.privateKeyPassword
  • config.links.logout.disableRedirectParameter

Done for v77

• Feature removal: UAA functions as a SAML IDP
  • Deprecation notice: Published in README.
  • Progress: Remove SAML IDP feature uaa#2638
• Feature removal: New Relic integration
  • Deprecation notice: None but asked around.
  • Progress: remove: new relic #760
• Feature removal: UAA native MFA
  • Deprecation notice: Published in README.
  • Progress: Remove: deprecated native MFA feature uaa#2717 and remove: configs for deprecated MFA feature #784

Other candidates

• removal: user_token grant
  • discussion here: Fix/user token uaa#2193
• removal: password, implicit_grant
  • Deprecation notice: Published on UAA API docs.
• removal of the already-deprecated Introspect Token endpoint's "Authorization header = Basic authentication" option
  • Deprecation notice: Published on UAA API docs.
• removal of The /check_token endpoint
  • Deprecation notice: Published on UAA API docs.
• remove k8s related support
• remove option to use empty string as client secret
• formal removal of MySQL 5 support (flyway upgrade)
• fix introspect (maybe create a v2 endpoint but deprecate the old one)
  • introspect endpoint don't follow rfc7662 uaa#1229
• change uaa.jwt.refresh.format's default from jwt to opaque: Combination of the default values of uaa.jwt.refresh.format (jwt) and uaa.jwt.revocable (false) results in spec-non-compliance #813
• defaulting uaa.client.redirect_uri.matching_mode to “exact”, which would become mandatory in OAuth 2.1

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/186790434

The labels on this github issue will be updated when the story is started.

[strehle]

@peterhaochen47 is there a plan, when you will release v77 ?

[peterhaochen47]

@strehle, on our side, the only outstanding item is the MFA feature removal, which is underway (ETA = a few days). Your colleagues said in our last OSS sync that your team had no outstanding item for v77 but was also not in urgent need to release, is that accurate?

[strehle]

Your colleagues said in our last OSS sync that your team had no outstanding item for v77 but was also not in urgent need to release, is that accurate?

No urgency, correct but after 3 weeks now I simply would think about a release simply that we have CI into cf-deployment
So after next sync on Thursday I suggest we release. MFA removal is ok, I assume it should be less effort than SAML IDP.