Deprecation of legacy OIDC and Authz-server

5 views
Skip to first unread message

Thijs Kinkhorst

unread,
Sep 18, 2020, 11:00:06 AM9/18/20
to OpenConext Community
Hi all,

Last year we decided to build a new OIDC gateway for the OpenConext
platform. For backgrounds about the choice see this posting
https://groups.google.com/g/openconext/c/cP207uIxHKI
This is the component known as "OIDC-NG".

We've now migrated all our clients successfully and without issues to the
OIDC-NG gateway.

Given that the main reason for developing the new gateway were
maintainability problems with the old codebase, and of course to reduce
complexity and spend our time efficiently, we (SURF) will no longer
support the old gateway. Our intention is to cleanup references and
facilities for the old codebase and to archive the Github repository. If
there are any concerns from the community we'd be glad to hear them so we
can see how to deal with these most effectively.

If you have the old gateway still in use, and you'd like some
documentation on migration strategies, we'd be happy to put some pointers
online.


At the same time we're also considering to deprecate the authz-server
OAuth authorization server (and corresponding components authz-admin and
authz-playground). This server can be used to authorize access to the VOOT
groups API. However, OIDCNG issues tokens that can be used for the same
purpose (also we've seen quite some SP's move to attribute aggregation as
their source of VOOT group information). Again in an effort to reduce the
number of code bases, we'd like to discontinue these components.

Migration of clients to use OIDCNG instead of authz-server usually means
just creating a new client in Manage (instead of the separate authz-admin
interface, also a win in our opinion) changing some URLs and the client
secret in said client. This is also something that is needed for internal
clients that use voot (Teams, PDP and Attribute Aggregation). We will make
these URLs configurable via OpenConext-deploy so they can be changed
easily if you make use of them.

We can of course help if there's demand for a migration guide for clients,
or if there are aspects that you're using that are problematic in the new
setup. Please let us know.



Kind regards,
Thijs
Reply all
Reply to author
Forward
0 new messages