Plan for deprecating and removing unmaintained OmniAuth gems
Background
From https://gitlab.com/gitlab-org/gitlab/-/issues/30073, we have a number of OmniAuth gems that have gone unmaintained. It's not clear to me if anyone is using these, and it's a security risk to support gems that haven't updated in a while:
- omniauth-azure-oauth2 - DEPRECATED, replaced by omniauth-azure-activedirectory-v2
- omniauth-cas3 - upstream not ready
- omniauth_crowd
- omniauth-shibboleth
I wonder if we should:
- Add a warning that these will go away, and point people to this issue to comment.
- Remove these entirely in GitLab 16.0.
We use omniauth-salesforce
today, so I've asked the maintainer if we can just transfer maintainership to the main OmniAuth group: https://github.com/realdoug/omniauth-salesforce/pull/32#issuecomment-1164680551
Plan
2 epics have been created:
-
Deprecations and Breaking Changes for 16.0 - deprecation/removal of
cas3
andcrowd
in here. @hsutor will take care of deprecation announcement -
Future Deprecation and Removal Candidates - I put
omniauth-shibboleth
andomniauth-azure-oauth2
here for now. Should we decide we want to tackle these in %16.0 , we can pull them in to the %16.0 specific epic.
The two in the "Future" epic both have some usage left and I want to look harder at implications before we deprecate/remove, so I am not nominating them for %16.0 at this time.