stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
1d962ee6fc98ad8c53715bbff6d513246f5b1361
git.stella-ops.org/docs/api/authority-legacy-auth-endpoints.md
master f98cea3bcf Add Authority Advisory AI and API Lifecycle Configuration 
- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings.
- Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations.
- Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration.
- Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options.
- Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations.
- Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client.
- Updated project file to include necessary package references for the new Issuer Directory Client library.
2025-11-02 13:50:25 +02:00

2.1 KiB
Raw Blame History

Legacy Authority Authentication Endpoints — Deprecation Guidance

Announced: 1 November 2025
Sunset (removal no earlier than): 1 May 2026

Summary

StellaOps Authority previously exposed OAuth 2.1 endpoints at /oauth/token, /oauth/revoke, and /oauth/introspect to ease migration from early previews. Those aliases are now deprecated in favour of the canonical paths (/token, /revoke, /introspect). All responses from the legacy routes include:

  • Deprecation — RFC7231 HTTP-date set to 1 November 2025.
  • Sunset — HTTP-date advertising the planned removal on 1 May 2026.
  • Warning — RFC7234 299 warning describing the migration requirement.
  • Linkrel="sunset" URI pointing back to this guidance.

No new features (DPoP nonces, audit upgrades, policy scopes) will ship on the legacy routes. After 1 May 2026 the aliases will return 410 Gone and be removed in the next major release.

Required Actions

  • Service identities / CI pipelines Update token, revocation, and introspection calls to target the canonical /token, /revoke, and /introspect endpoints. Regenerate OpenAPI clients if they relied on the deprecated paths.
  • Gateway / proxy rules Remove explicit rewrites that target /oauth/* so traffic flows directly to the canonical paths.
  • Custom SDKs Regenerate against the refreshed Authority OpenAPI spec (/.well-known/openapi) which marks legacy operations as deprecated: true.
  • Monitoring Alert on the authority.api.legacy_endpoint audit event or the 299 Warning header to verify migrations are complete.

Timeline & Support

Date Milestone
1 Nov 2025 Deprecation headers emitted, documentation published
JanApr 2026 Observability dashboards highlight remaining usage; support assists with migrations
1 May 2026 Legacy routes return HTTP 410 and will be removed in the next major release

Questions? Contact the Authority Core guild or open a ticket with the API Governance Guild referencing AUTH-OAS-63-001.