feat: Add JwtAuthentication as a default DRF auth class.

[feanil]

By default DRF sets 'DEFAULT_AUTHENTICATION_CLASSES' to:

[
    'rest_framework.authentication.SessionAuthentication',
    'rest_framework.authentication.BasicAuthentication'
]

We also want to allow for JWT Authentication as a valid default auth
choice. This will allow users to send JWT tokens in the authorization
header to any existing API endpoints and access them. If any APIs have
set custom authentication classes, this will not override that.

I believe this is a fairly safe change to make since it only adds one
authentication class and does not impact authorization of any of the
endpoints that might be affected.

[robrap]

Thanks. Some thoughts...

[robrap]

Also, there is cms.

[feanil]

@robrap yea, this is indeed blocked on the forgiving JWT auth, because without it we will have auth failures where the JWT is not provided. It took going through this exercise to see that unfortunately, sorry for the ping. Without the JWTAuthentication class behaving like DRF expects, it's hard to move forward on this so I'm gonna focus back on that.

[robrap]

@robrap yea, this is indeed blocked on the forgiving JWT auth, because without it we will have auth failures where the JWT is not provided.

UPDATED: when the JWT is not provided, it should just move on to the next authentication class. If an invalid JWT is provided, it would fail and not try any other means.

Did you actually see this cause a problem, and if so, can you explain where? Note that the JWT Cookie doesn’t become a single cookie (it starts as two) unless the special header is supplied which only the MFEs supply.

[feanil]

Still digging further but pytest openedx/core/djangoapps/embargo/tests/test_views.py::CheckCourseAccessViewTest::test_course_access_endpoint_with_logged_out_user is the failing test here and it looks to be failing because it's getting a 401 instead of a 403, which it looks like is happening because of an exception somewhere in the auth chain. I haven't figured out exactly what yet though.

[robrap]

Still digging further but pytest openedx/core/djangoapps/embargo/tests/test_views.py::CheckCourseAccessViewTest::test_course_access_endpoint_with_logged_out_user is the failing test here and it looks to be failing because it's getting a 401 instead of a 403

What’s interesting is that for a logged out user (from the name of the test), a 401 seems more correct, right? We should still probably understand why this is changing the response.

[robrap]

@feanil: What I discovered is that with or without this change, we are getting rest_framework.exceptions.NotAuthenticated. The problem is in the exception handler here:
https://github.com/encode/django-rest-framework/blob/56946fac8f29aa44ce84391f138d63c4c8a2a285/rest_framework/views.py#L456C3-L456C3

When including JwtAuthentication, the auth_header becomes 'JWT realm="api"'. Without it, it is None. We'll need to discuss. This is not ideal, because I feel like we might have code that acts differently for 401s and 403s.

Even the forgiving JWT cookie code won't fix this. We'll need to discuss.

[robrap]

@feanil: More thoughts on my previous comment.

• I found https://github.com/encode/django-rest-framework/blob/master/docs/api-guide/authentication.md#unauthorized-and-forbidden-responses, which explains the 401 vs 403 code I found.
• We'll just need to live with the change (i.e. update the unit test), and I'll just need to ensure nothing breaks on edx.org.
• Because this is mostly just a setting change, are you ok if I work on deploying/testing on edx.org in advance of merging this?
  • The only delay on this is if I move these errors from ignored to expected in New Relic for better visibility. I haven't decided if I want to block on that. Does that seem pointless? Should I just track 4XX to ensure nothing gets out of hand?

[robrap]

@feanil: Here is my updated plan:

1. Trying to deploy this change on edx.org in Stage today.
2. Hoping to deploy to Prod on Tuesday.

[feanil]

@robrap this seems fine to me but what setting are you changing?

[robrap]

@robrap this seems fine to me but what setting are you changing?

@feanil: I am adding the following as temp commits to edx-internal:

  DEFAULT_AUTHENTICATION_CLASSES: [
    'edx_rest_framework_extensions.auth.jwt.authentication.JwtAuthentication',
    'rest_framework.authentication.SessionAuthentication',
    'rest_framework.authentication.BasicAuthentication',
  ]

I will back them out once they are tested and we land the defaults in edx-platform in this PR. Does that make sense?

[feanil]

Gotcha, sounds good to me.

[robrap]

[request] @feanil:

1. Please fix the failed test. Let's make sure that there aren't other failures.
2. Can you edit the title to include "LMS" and create another PR for "CMS" to ensure no tests break there?

[feanil]

1. Please fix the failed test. Let's make sure that there aren't other failures.

Done, added as a new commit.

2. Can you edit the title to include "LMS" and create another PR for "CMS" to ensure no tests break there?

This is not needed because cms/envs/common.py imports the DRF defaults from the LMS so this change actually updates the defaults for both.

Reference: https://github.com/openedx/edx-platform/blob/master/cms/envs/common.py#L73

[robrap]

@feanil: Looks like there are more failures, but hopefully they are all for 403 => 401.

[feanil]

@robrap looks like they are, I'll keep stomping at them, until this is green.

[robrap]

@feanil: Mostly copied from Slack so it doesn't get lost. Are you planning on following up on this?

1. Regarding AuthN MFE:

• I see an error related to 401 and CSRF after loading the page (see below). The same error appears, in addition to other CSRF failures, when I try logging in as [email protected].
• I do not see these errors on edx.org.
• I don't know if these errors are a red herring, or related to why I can't log in to the sandbox.
• Additionally, the 403 specific code in the MFE may still be important to fix for proper error handling, but I agree that at first glance, it doesn't seem like it would cause a failed login: https://github.com/search?q=repo%3Aopenedx%2Ffrontend-app-authn+403&type=code
• Error: Uncaught (in promise)
  {
  "customAttributes": {
  "httpErrorType": "api-response-error",
  "httpErrorStatus": 401,
  "httpErrorResponseData": "{"detail":"Invalid username/password."}",
  "httpErrorRequestUrl": "https://robrap.sandbox.edx.org/csrf/api/v1/token",
  "httpErrorRequestMethod": "get"
  },
  "message": "Axios Error (Response): 401 - See custom attributes for details."
  }

2. Potential known issues for Mobile:

• Mobile team wrote: "We are using 403 returned from the API /oauth2/exchange_access_token/{backend}/ and the status (403) means user is disabled. {backend}: Apple/Google/Microsoft/Facebook.
• I did not look into whether this endpoint would be affected or not. If it would, we could override.

[robrap]

@feanil: I've also documented the observability enhancement idea in #32899, because it might result in a separate PR that could merge sooner.

[robrap]

I'm keeping this as a Draft until I land my testing. I'm hoping it won't be long.

[robrap]

@feanil: I am copying this info from elsewhere. I also added some notes from edx.org monitoring which help me feel more confident that this is unlikely to cause problems.

Consider adding a backward incompatible note to the commit comment and using feat!:.

See potential comments:

BREAKING CHANGE: For any affected endpoint that also required the user to be authenticated, the endpoint will now return a 401 in place of a 403 when the user is not authenticated.

• See these DRF docs for a deeper explanation about why this changes.
• Here is an example endpoint that does not override defaults and checks for IsAuthenticated.

Generally speaking, this is should not be a problem.

• An issue would appear only if the caller of the endpoint is specifically handling 403s in a way that would be missed for 401s.

Note: On edx.org, the only endpoints using the default authentication classes that also had 403 responses were the following:

• /api/embargo/v1/course_access/
• /api/notifications/count/
• /api/notifications/enrollments/
• /courses/yt_video_metadata

[robrap]

@feanil: I just discovered we will possibly be breaking docstrings as well. Here is one example of a docstring for NotificationCountView that would need to be updated.

Based on monitoring, I've found 37 views that will be affected by this change:

WebTransaction/Function/openedx.core.djangoapps.notifications.views:NotificationCountView.get
WebTransaction/Function/csrf.api.v1.views:CsrfTokenView.get
WebTransaction/Function/openedx.core.djangoapps.user_authn.api.views:MFEContextView.get
WebTransaction/Function/lms.djangoapps.courseware.views.views:yt_video_metadata.get
WebTransaction/Function/openedx.core.djangoapps.user_api.views:CountryTimeZoneListView.get
WebTransaction/Function/openedx.core.djangoapps.embargo.views:CheckCourseAccessView.get
WebTransaction/Function/openedx.core.djangoapps.user_authn.views.password_reset:LogistrationPasswordResetView.post
WebTransaction/Function/openedx.core.djangoapps.user_authn.views.password_reset:PasswordResetTokenValidation.post
WebTransaction/Function/openedx.core.djangoapps.notifications.views:CourseEnrollmentListView.get
WebTransaction/Function/lms.djangoapps.mfe_config_api.views:MFEConfigView.get
WebTransaction/Function/lms.djangoapps.support.views.manage_user:ManageUserDetailView.get
WebTransaction/Function/lms.djangoapps.support.views.enrollments:EnrollmentSupportListView.get
WebTransaction/Function/lms.djangoapps.support.views.sso_records:SsoView.get
WebTransaction/Function/lms.djangoapps.support.views.onboarding_status:OnboardingView.get
WebTransaction/Function/enterprise.heartbeat.views:heartbeat.get
WebTransaction/Function/lms.djangoapps.course_home_api.outline.views:unsubscribe_from_course_goal_by_token.post
WebTransaction/Function/lms.djangoapps.support.views.program_enrollments:SAMLProvidersWithOrg.get
WebTransaction/Function/drf_yasg.views:get_schema_view.<locals>.SchemaView.get
WebTransaction/Function/lms.djangoapps.verify_student.views:VerificationStatusAPIView.get
WebTransaction/Function/ai_aside.config_api.views:CourseSummaryConfigEnabledAPIView.get
WebTransaction/Function/ai_aside.config_api.views:CourseEnabledAPIView.get
WebTransaction/Function/enterprise.api.v1.views.plotly_auth:PlotlyAuthView.get
WebTransaction/Function/ai_aside.config_api.views:CourseEnabledAPIView.post
WebTransaction/Function/lms.djangoapps.support.views.enrollments:EnrollmentSupportListView.patch
WebTransaction/Function/edx_proctoring.views:AnonymousReviewCallback.post
WebTransaction/Function/lms.djangoapps.support.views.enrollments:EnrollmentSupportListView.post
WebTransaction/Function/openedx.core.djangoapps.notifications.views:NotificationListAPIView.get
WebTransaction/Function/openedx.core.djangoapps.notifications.views:UserNotificationPreferenceView.patch
WebTransaction/Function/lms.djangoapps.learner_recommendations.views:CrossProductRecommendationsView.get
WebTransaction/Function/integrated_channels.api.v1.moodle.views:MoodleConfigurationViewSet.update
WebTransaction/Function/ai_aside.config_api.views:CourseEnabledAPIView.delete
WebTransaction/Function/edx_recommendations.api.cross_product_recommendations:CrossProductRecommendationsView.get
WebTransaction/Function/rest_framework.routers:APIRootView.get
WebTransaction/Function/openedx.core.djangoapps.notifications.views:UserNotificationPreferenceView.get
WebTransaction/Function/enterprise.admin.views:CatalogQueryPreviewView.get
WebTransaction/Function/coaching.rest_api.v1.views:ConsentFormViewset.partial_update
WebTransaction/Function/openedx.core.djangoapps.notifications.views:MarkNotificationsSeenAPIView.put

[feanil]

Good point, thanks for realizing and running the query, I'm on PTO for the rest of this week but I'll update all those docstrings when I'm back next week. We should consider this PR blocked until that update is made.

[robrap]

We should consider this PR blocked until that update is made.

@feanil: The likely situation is that this PR will be blocked until I've rolled out forgiving JWTs and this change as overrides in edx.org. By that time, I imagine this PR will be ready to remove from Draft and merge.

[feanil]

@robrap I took a closer look at this and I don't think the docstrings need to change. Though there is a behavioral change. Because we set JWT Auth to be first in the list. If the user uses JWT auth to hit the endpoints, they'll get the correct behavior of 403 for permission denied and 401 for when they have failed to auth. But if they hit the endpoint with a session id cookie, to hit the same endpoint, they'll get a 401 now while they used to get a 403.

This is a change in behavior so we should make sure there are no adverse effects when you roll this out but in terms of docstrings, they are always going to be right/wrong depending on which auth type we're using. In my opinion, this seems like a shortcoming of DRF(I feel like it should be able to understand if you succeeded in authenticating independently from running into permission issues but it dosen't do that at the moment.)

I think the best course of action is to leave the docs as is because they convey the correct behavior for APIs using JWT auth which is what we're moving towards.

[robrap]

@feanil: It is indeed complicated.

1. If you provide no credentials, it will return a response based on the first authentication class. In this case, it will be JwtAuthentication and a 401.
2. If you provide invalid credentials, like a bad session token (which I think is the case you are referring to?), then that authentication class itself would fail, and in the case of SessionAuthentication, you would get a 403.
3. For other permission errors that are not authentication related, I think you just get a 403.

I am asking some teams to make error handling updates to respond to 401 or 403, which will be more resilient to this. Based on all of our findings, it seems the docs should really state "401 or 403", and not just 403, so people know how to appropriately handle errors. Thoughts?

[feanil]

So in all of my testing I was using valid tokens to actually check the permission issue, it sounds like there was a historic confusing issue where we used to say 403 for bad credentials which we no longer do and that could cause issues?

[robrap]

@feanil: I think we agreed offline that:

1. The switch from 403 to 401 only seems to affect the situation where no credentials are provided.
2. We don't think it is worth documenting this (docstrings, etc.) outside of the failing tests that were switched to 401.

Thus, there is nothing left to do except wait on my deployments and testing and I'll let you know when we are ready for this. Does that sound right?

[feanil]

@robrap that sounds right to me. Do you want to leave this PR in draft till then in-case we find there are more changes to make?

[robrap]

@feanil: Yes. Let's leave it in draft. I hope there will be no more issues, but this will ensure I complete testing this change in Prod on edx.org before we merge this.

[edx-pipeline-bot]

2U Release Notice: This PR has been deployed to the edX staging environment in preparation for a release to production.

[edx-pipeline-bot]

2U Release Notice: This PR has been deployed to the edX production environment.