...
https://shibboleth.atlassian.net/browse/JPAR-178 updated this. Seems OK - at least for now.
Working on RP:
Profile configuration hookup (OIDC.SSO for now)
Message Encoders. Propose to borrow the ideas used in the SpringAwareMessageEncoderFactory but for OAuth ResponseModes and RP authn request. In https://shibboleth.atlassian.net/browse/JCOMOIDC-27
Work on commons:
Henri has ideas on how to improve the metadata resolver work, so I will revisit some of that.
https://shibboleth.atlassian.net/browse/JCOMOIDC-21 - move some of the OP profile configuration stuff into oidc-common. Some is needed by the RP. Added timescales to the agenda on what gets released when and how the changeover in the OP happens.
https://shibboleth.atlassian.net/browse/JCOMOIDC-26 - need to check JWT validation API is suitable for upcoming use cases.
Other:
Maybe look to switch the default CSRF validation predicate to use a constant-time algorithm. Although the predicate is injectable and I am not sure adds much in our case.
...