...
Santuario / Jakarta move → looks like 2.1 may be sunsetting pretty quickly, trying to get confirmation on a date
OIDC / OAuth coordination
Inc. OP package name transfer to oidc-common for profile config. Which versions and when.
Features in the OP which requires the metadata resolver work in odic-common
(RDW) M2 verification is now on for IdP nightly build. Still outstanding (before we discuss other attacks)
Process for accepting new certs - we have such a case outstanding for
net.minidev:json-smart:2.4.7A plan for what to do if we do discover a forgery.
...
https://shibboleth.atlassian.net/browse/JPAR-178 updated this. Seems OK - at least for now.
Working on RP:
Profile configuration hookup (OIDC.SSO for now)
Message Encoders. Proposed to borrow the ideas used in the SpringAwareMessageEncoderFactory but for OAuth ResponseModes and RP authn request. In https://shibboleth.atlassian.net/browse/JCOMOIDC-27
Work on commons:
Henri has ideas on how to improve the metadata resolver work, so I will revisit some of that.
https://shibboleth.atlassian.net/browse/JCOMOIDC-21 - move some of the OP profile configuration stuff into oidc-common. Some is needed by the RP. Added timescales to the agenda on what gets released when and how the changeover in the OP happens.Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JCOMOIDC-21 Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JCOMOIDC-26 https://shibboleth.atlassian.net/browse/JCOMOIDC-26 - need to check JWT validation API is suitable for upcoming use cases.
Other:
Maybe look to switch the default CSRF validation predicate to use a constant-time algorithm. Although is injectable and I am not sure adds much in our case.
...