docs: Move the JWT token update to breaking.

Fixes: openedx/wg-build-test-release#377
feoh · Jun 13, 2024 · 2acd0f4 · 2acd0f4
1 parent 363ca0a
commit 2acd0f4
Showing 1 changed file with 41 additions and 42 deletions.
diff --git a/source/community/release_notes/redwood.rst b/source/community/release_notes/redwood.rst
@@ -13,6 +13,47 @@ These are the release notes for the Redwood release, the 18th community release
 Breaking Changes
 ****************
 
+-  Deployers must ensure that their
+   ``JWT_AUTH['JWT_PRIVATE_SIGNING_JWK']`` Django setting in LMS
+   contains the full complement of private key numbers.*
+
+   -  **Background:**\ *In LMS, we are switching from the pyjwkest
+      library to PyJWT for signing JWTs. (pyjwkest is now unmaintained.)
+      However, PyJWT has stricter requirements for the private key in
+      ``JWT_PRIVATE_SIGNING_JWK``. Before you upgrade to Redwood, you
+      will need to update this key using a script. Otherwise, JWT
+      signing will fail, and users will be unable to log in.*
+
+   -  **Steps:**
+
+      1. Locate ``JWT_PRIVATE_SIGNING_JWK`` in your deployment
+         configuration.*
+
+      2. Check if the JSON contains all of the following params: ``p``,
+         ``q``, ``dp``, ``dq``, and ``qi``. If it does, you don’t need
+         to do anything further. Otherwise, continue.*
+
+      3. In your edx-platform virtualenv, run
+         ``python3 scripts/jwk-precompute-params.py`` and follow the
+         prompts. (It will ask you to paste in the current JSON.)*
+
+      4. Update your config’s ``JWT_AUTH['JWT_PRIVATE_SIGNING_JWK']``
+         with the output of the script.*
+
+      5. You may wish to compare the contents of the private key before
+         and after running the script, and verify that the only changes
+         it has made to the contents of the JSON are that the ``p``,
+         ``q``, ``dp``, ``dq``, and ``qi`` params have been added. (Some
+         or all may already have been present.)*
+
+   -  **Notes:**
+
+      1. This should be done while you are still running Quince—it is
+         safe to do ahead of the upgrade, and should not have any
+         visible effect at that time.*
+
+      2. This key must be handled very carefully. Anyone in possession
+         of the key may impersonate users.*
 
 Learner Experiences
 *******************
@@ -67,48 +108,6 @@ Other Operator Changes
       would like to force people to update their password, you'll
       probably want to take a look at .. _the password_policy plugin and its settings: https://github.com/openedx/edx-platform/blob/2033dcf6ace133719aaeb72dc5dd6ee521a7ac42/openedx/core/djangoapps/password_policy/settings/common.py#L13 .*
 
--  Deployers must ensure that their
-   ``JWT_AUTH['JWT_PRIVATE_SIGNING_JWK']`` Django setting in LMS
-   contains the full complement of private key numbers.*
-
-   -  **Background:**\ *In LMS, we are switching from the pyjwkest
-      library to PyJWT for signing JWTs. (pyjwkest is now unmaintained.)
-      However, PyJWT has stricter requirements for the private key in
-      ``JWT_PRIVATE_SIGNING_JWK``. Before you upgrade to Redwood, you
-      will need to update this key using a script. Otherwise, JWT
-      signing will fail, and users will be unable to log in.*
-
-   -  **Steps:**
-
-      1. Locate ``JWT_PRIVATE_SIGNING_JWK`` in your deployment
-         configuration.*
-
-      2. Check if the JSON contains all of the following params: ``p``,
-         ``q``, ``dp``, ``dq``, and ``qi``. If it does, you don’t need
-         to do anything further. Otherwise, continue.*
-
-      3. In your edx-platform virtualenv, run
-         ``python3 scripts/jwk-precompute-params.py`` and follow the
-         prompts. (It will ask you to paste in the current JSON.)*
-
-      4. Update your config’s ``JWT_AUTH['JWT_PRIVATE_SIGNING_JWK']``
-         with the output of the script.*
-
-      5. You may wish to compare the contents of the private key before
-         and after running the script, and verify that the only changes
-         it has made to the contents of the JSON are that the ``p``,
-         ``q``, ``dp``, ``dq``, and ``qi`` params have been added. (Some
-         or all may already have been present.)*
-
-   -  **Notes:**
-
-      1. This should be done while you are still running Quince—it is
-         safe to do ahead of the upgrade, and should not have any
-         visible effect at that time.*
-
-      2. This key must be handled very carefully. Anyone in possession
-         of the key may impersonate users.*
-
 -  The following `requirements update <https://github.com/openedx/credentials/commit/1cd7c25c04a955aa9aaa263fb40ebd3f73d0937e>`_ into credentials might have implications for anyone
    who has a massive ``usersocialauth`` table.  This is because that
    table grows endlessly, and the migrations on the table caused by