Blog from December, 2021

December 2021 Update

Since the last update, we have released the SP V3.3 update, migrated to the new SP packaging process, reached a significant milestone in our supply chain security work, and have advanced or started work on a number of OIDC/OAuth enhancement projects.

The SP update so far has resulted in one minor bug report (an accidental deprecation warning). The new packaging process worked great and saved several hours of hassle getting the RPMs out, as well as adding key new platforms with the ability to add others very easily in the future. Once Amazon Linux 3 is available outside of AWS we can add that. There is an OpenSSL security fix dropping on December 14th, which may or may not necessitate a Windows patch.

As expected some discussion of the SP future has been provoked, but there’s nothing new happening, just a slightly more forceful reminder of future expectations.

We have declared “victory” on the first iteration of our Maven enforcer and have enabled it across all our snapshot builds at this point in anticipation of moving away from hosting third-party components and moving Nexus off the public network. The enforcer already detected one component’s signer moving to a different key, enabling us to follow up and verify to some basic level of confidence that the key is legitimate before adding it to our local keyring for that component. We should have all the initial kinks worked out in time for the next set of releases.

On that subject, most of the absolutely necessary work on IdP V4.2 is done and most of the next round of enhancements are primarily OIDC/OAuth-related. The new set of those plugins will depend on IdP V4.2 for some minor internal reasons. Some of the major features we hope to ship in Q1 of 2022 include:

  • The initial OIDC proxy authentication implementation for the IdP.

  • Token-based OIDC/OAuth client registration (vs. the open endpoint implemented so far), including policies based on the tokens governing what can be registered. This work is intended to be syntax-compatible with the metadata “statements” defined in the not-yet-final OIDC Federation specs.

  • Support for JWT-formatted access tokens compliant with https://www.rfc-editor.org/rfc/rfc9068.

  • Extending the token endpoint with generic OAuth2 support, such as the client_credentials grant type and pluggable authentication.

The latter two features are essentially first-generation support for the IdP to act as an OAuth Authorization Server, something several members have been requesting. Snapshots of this functionality should hopefully be available shortly into the new year.