Shibboleth Developer's Meeting, 2020-12-04
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2020-12-18. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Add items for discussion here
Attendees:
Brent
Daniel
Henri
Ian
- xmlsectool v3: GA mid-month, 15th-ish
- UKf confirms drop-in replacement (modulo Java 8/11, CLI tweaks) on their production HSM
- IdP V3.last:
- dependencies
- build environment
- schedule?
- Java 16 enters Rampdown Phase One next week
- Confirmed: 396: Strongly Encapsulate JDK Internals by Default
- Proposed: 390: Warnings for Value-Based Classes
new Integer(73)
would move from Deprecated (since Java 9) to Deprecated for Removal- Warnings will get louder
- Full details in https://openjdk.java.net/jeps/390
- In theory could result in removal in Java 17, which we'd care about. I'd guess not, but who can say.
- We don't use these a lot outside of tests, and they are easy to fix up except in cases where you're looking for an object with an identity rather than a wrapped primitive. I suspect we don't have any of those, though.
...
- Add a nonce to the authorization request and verify it in the id_token.Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key JDUO-22 - The Duo OP supports it - seems like best practice to help prevent id_token replay attacks.
- Only supported using the alternative Nimbus client.
- Duo Web SDK does not support setting it - even though they consider it in their validation step.
- the JWT claims verify can now be injected (hence a custom one can be used).Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key JDUO-23 - A default version and base class have been created to satisfy Duo requirements and (for the limited things possible) OIDC requirements.
- bit weird that, the latest Duo Web SDK requests the auth code as a `duo_code` parameter rather than the OAuth2.0 standard `code`. Broke my stuff.Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key JDUO-24
...