PulseGuardian auth changing (slightly)

[mc...@mozilla.com]

I've nearly wrapped up work moving PulseGuardian's Auth0 implementation to infosec's suggested hosted-lock solution, similar to many other apps. This should be almost transparent to users, but please let me know if you experience any problems. This will likely be deployed late next week; I'll post a follow-up here after it's live.

[mc...@mozilla.com]

On Wednesday, 26 July 2017 19:24:54 UTC-4, mc...@mozilla.com wrote:
> I've nearly wrapped up work moving PulseGuardian's Auth0 implementation to infosec's suggested hosted-lock solution, similar to many other apps. This should be almost transparent to users, but please let me know if you experience any problems. This will likely be deployed late next week; I'll post a follow-up here after it's live.

I've hit some snags deploying the changes this morning. I am currently working through them with infosec but will roll back if we can't resolve them within the next hour or so. Please ping me in #pulse if you really need to use the web interface during that time.

Note that the worker actions (sending warnings and deleting queues) are proceeding as normal, as the changes only affected the web app.

[mc...@mozilla.com]

I've been unable to get this working, but we have a couple ideas. I've rolled back for now and will test more at a future time.

[mc...@mozilla.com]

Turns out that we had a bad client secret that didn't work with OIDC. This has been fixed, and the new auth code appears to be working fine. Please let me know if anyone has issues logging in.

Also with this and one slight CSP change, PulseGuardian now has an A+ rating on the HTTP Observatory. \o/

Mark