Date
Attendees
- Craig McNally
- Jeremy Huff
- Maccabee Levine
- Jenn Colt
- Florian Gleixner
- Olamide Kolawole
- Zak Burke
- Taras Spashchenko
- Marc Johnson
- Jakub Skoczen
- Skott Klebe
Discussion items
Time | Item | Who | Notes |
---|---|---|---|
1 min | Scribe | All | Jakub Skoczen is next, followed by Taras Spashchenko |
5 min | TCR Board Review | All |
|
5 min | Liaison Updates |
| |
5 min | Technical Council Sub Groups Updates | All |
|
5-10 min | Decision Log | All |
|
1 min | RFCs | All |
|
1 min | Things Folio can do better | All | See slack post from Tom Cramer:
Questions/Notes:
|
10-15 min | Refresh Token Rotation Rollout Plan | All | We still need to discuss the target release in which we'll remove the legacy endpoints that return non-expiring tokens. It was agreed that they would be deprecated in Poppy. The proposal from Steve Ellis and others was to remove them in Quesnelia Skott Klebe: having a live legacy auth-endpoint that is unused is dangerous as it provides an additional avenue for attack. Jeremy: expects an option to "turn off" the legacy authentication endpoint in Poppy Craig and Jakub: The ability to turn the legacy endpoint off as part of the proposal for Poppy, TC has accepted it along with the rest of the proposal. The new option is opt-in, so the system remains backward compatible by default. Jeremy: proposes a phased roll-out where disabling the endpoint is opt-in in Poppy (as already agreed) and opt-out (endpoint is disabled by default) in Quesnelia Jakub: we can also disable public access to the legacy endpoint and only allow known hosts Craig: would prefer that we don't change the setting that disables the endpoint in Q but instead remove the endpoint completely Florian: supports the idea for opt-in in Poppy and opt-out in Q and then removing the endpoint afterward Marc: how much do we want to invest in this? Jakub: let's avoid breaking backwards compatibility and make sure that when we ask external developers to switch their integrations to RTR, we're not asking them again when the project adopts a new authentication regime (e.g oauth2) Marc: let's focus on the decision that has already been made but define the criteria: when are we turning it off and when we remove it Jeremy: having two release cycles would be sufficient (so the legacy endpoint is removed in R release) DECISION: The TC has agreed to the plan that the endpoints will be removed in the R release. |
1 min | Upcoming Meetings | All |
|
5 min | All | To be discussed next Monday. Standing agenda item to review/discuss any requested or required changes to officially supported technology lists
Today:
| |
NA | Zoom Chat | 00:11:52 Jenn Colt: The notes said it involved a python script and some GitHub merges Both endpoints are live, even under the enhanced security mode I mean for the user login in the UI I may be looking for the wrong things, but I was expecting to see the two cookies in my browser? Maybe I need to pick this up on Slack It’s WIP in stripes-core. Details at https://folio-project.slack.com/archives/C05JK4YH3A5/p1695841278260819. It’s really late in the poppy release for this to still be WIP No argument there. I expect to have a PR up today or tomorrow. The work is done but needs to be cleaned up. Also, if there really are endpoints cycling in and out all the time, then there should be clear messaging in every case about what endpoints are transitioning in or out. |
Topic Backlog | |||
Discuss during a Monday session | Officially Supported Technologies - Upkeep | All | Previous Notes:
Today Notes: |