[Django4.2 upgrade]: Upgrade django-oauth-lib to latest 2.x.x version

[mumarkhan999]

Description

• A PR (link) was created in which we're unpinning django-oauth-toolket and oauthlib.
• The oauthlib has been updated successfully but for django-oauth-toolkit we faced some brokers. And we could only upgrade django-oauth-toolkit to the latest 1.x.x version.
• Our aim is to upgrade it to the latest 2.x.x version.

Blocker

• The main blocker, we faced that in version 2.0.0, django-oauth-toolkit is saving the client-secret as a hashed value instead of plain text.
  https://django-oauth-toolkit.readthedocs.io/en/latest/changelog.html#id12:~:text=%231093%20(Breaking,before%20hitting%20Save
• If we do any attempt to migrate DOT to 2.x.x, it will update all the existing client secrets as well.
• And then we can't downgrade its version. It's only one way.

raise IrreversibleError("Operation %s in %s is not reversible" % (operation, self))
django.db.migrations.exceptions.IrreversibleError: Operation <RunPython <function forwards_func at 0x7f6956652430>> in oauth2_provider.0006_alter_application_client_secret is not reversible

[robrap]

Note: We may need a communication plan around this in case any teams like Enterprise, etc., rely on having access in the database, and may need time to transfer credentials to a password manager like Keeper. Also, we should certainly mention this on https://openedx.atlassian.net/wiki/spaces/COMM/pages/3726802953/Next+Release+Quince.

[mumarkhan999]

Previous PRs to unpin DOT version

• fix: upgrade oauthlib and django-oauth-toolkit to new versions. #32631
• feat: upgrading django-oauth-toolkit==1.5.0 #33079
• chore: upgrade dot #33309
• chore: upgrade dot #33341

[mumarkhan999]

While unpinning DOT from version 1.3.2 we had to face some issues. I'm mentioning my findings here so that when we proceed with the further upgrade, we are already aware of those issues.

---

• The db tables against this package have millions of records in the Prod database. So in future upgrades, if we have any migrations to apply, there would certainly be a downtime for the site as these tables will be locked. DOT is related to user logins so the site will be unfunctional when the migrations are applied.
• While working on this DOT upgrade (PR LINK), the expected downtime for the site was 3 minutes which was calculated on Prod replica. But when the changes were actually deployed, the downtime reached upto 20-23 minutes.

select count(*) from oauth2_provider_application;

count(*)
740

mysql> select count(*) from oauth2_provider_accesstoken;

count(*)
20552959

select count(*) from oauth2_provider_grant;

count(*)
25264

[katebygrace]

Is this in active development?

[mumarkhan999]

@katebygrace:

No, this issue will be picked after Django42 and MySQL8 upgrade.

[katebygrace]

Got it, thank you! Where is the Django42 work tracked? (I know where the mysql8 upgrade is)

[mumarkhan999]

@katebygrace:

Here are the links

Board	Platform issue	Roadmap issue

[katebygrace]

Thank you!!