Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Shibboleth Developer's Meeting, 2022-03-18

Call Administrivia

09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI

...

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

  1. Freeze schedule

Attendees:

Brent

Daniel

Henri

Done:

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJOIDC-78

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJOIDC-79

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJOIDC-81

...

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJOIDC-82

    • It feels that we should simply disable the wiring of the secret expiration configuration and note it in the documentation

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJOIDC-76

    • I didn’t find a better way for “configuring” the ServletContextInitializer than via system properties

      • Flag for disabling the class:

        • -Dnet.shibboleth.idp.plugin.oidc.op.servlet.RegisterFilterServletContextInitializer=disabled

      • Space-separated list for the url-mappings of the filter:

        • "-Dnet.shibboleth.idp.plugin.oidc.op.servlet.RegisterFilterServletContextInitializer.mappings=/profile/oauth2/* /profile/oidc/*"

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJOIDC-21

    • CLI can handle HTTP-Basic auth - needed if the authenticated-flag is enabled in the admin flow config

    • The flow now uses FetchThroughMetadataCache

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJOIDC-61

    • Configuration of additional server-side policies now simplified

      • Code Block
        ...
        <bean parent="OIDC.Registration" p:metadataPolicyLookupStrategy-ref="shibboleth.oidc.dynreg.AnotherMetadataPolicyLookupStrategy"/>
        ...
        <bean id="shibboleth.oidc.dynreg.AnotherMetadataPolicyLookupStrategy"
                parent="shibboleth.oidc.dynreg.MetadataPolicyLookupStrategy"
                c:resource="file:/opt/shibboleth-idp/conf/metadata-policy2.json"
                c:id="AnotherProfileMetadataPolicyCache" />

Ian

  • Working on a dependency pass for 4.2.

  • Had held this until the enforcer was up and running.

    • Ran into some holes in my dependency qualification workflow from that, now reorganised.

    • May move this into the build containers at some point.

  • Lost more than a week on a medical issue (I’m fine for now, but it’s time-consuming).

  • As Tom points out, Maven 5.8.5 is out:

    • https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922&version=12351105

    • Doesn’t seem to have anything we actually need. For what it’s worth, though, it seems to perform our builds unchanged and the new dependencies it brings in don’t need any new keys.

    • Adopting by bumping minimum version would require all dev machines, CI machines and build containers to be updated.

    • If we do want to make it the minimum for 4.2, we need to start on that stuff NOW. Inclined to make it optional (by ignoring it).

    • It has some plugin dependency requirements that I will pick up anyway.

  • Dependencies with new keys (deferred until resolved, working on these with Rod):

    • rhino, jcommander, janino, hibernate

  • Big bumps (suggest ignoring these):

    • Mockito (new APIs in major version)

    • Checkstyle (may do an 8.x update, but both 9.x and 10.x exist now… also, interaction with Eclipse)

  • Little bumps (still to be pulled in):

    • Some Maven plugins.

    • The ones Rod is key hunting for.

    • Maybe Checkstyle.

    • JAXB API and runtime versions have split.

  • Coming back to the 5.x conversion now that Spring Framework 6.0.0-M3 is out. Spring Webflow still the sticking point.

John

  • Continuing to explore ways to drive ECS/Fargate, build images with Kaniko. Feel like I may be getting the hang of this whole cloud/containers business

Marvin

Phil

  • Helping Henri to finalise some of the commons metadata cache stuff, including:

    • A new factory to help simplify the config

    • A super simple cache implementation for the admin flow.

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJOIDCRP-11

    • Resolve a client_id for the downstream OP (issuer) from a simple map

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJOIDCRP-12

    • Build client authentication from parameters resolved from a storage service - just a map in an XML config file for now.

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJCOMOIDC-40

    • Implemented the string version. Need to look at the others.

  • Will try Brent’s prototype Trust Engine work to plugin for JWT validation - sorry for the delay.

  • I have not added the test library classes I created to one of the other projects yet, mainly because it will cause JUnit pollution, and I am not sure anybody wants that. Needs a think.

Rod

  • m2 checking on by default

    • Is this the correct default?

    • -P central-disabled is no more

  • java-mvn-enforcer releases

    • -data (two releases)

    • At least one more data release (when the key thing is sorted).

    • Need to do an enforcer release before 4.2.

  • Did the releases from docker with an ssh tunnel.

    • Are we good to turn off external access?

  • The bug in maven which required us to turn off checksum checking on our repos has been fixed.

    • Requires resolver 1.8 (which may not be released yet).

    • Is it in Maven 5.8.5?

Scott

  • Finished initial round of OP doc updates

  • Re-did view changes after last meeting to eliminate some bloat and get more insight into accessibility. Boy, the new HTML tags are interesting (and completely under-spec’d).

    • Mac’s screen reader is at least usable to get some insight.

    • No idea why SauceLabs doesn’t like our HTML, I don’t think there’s anything wrong with it and the checkers I tried agree.

  • Made a lot of additions and alterations to the new OIDC registration access token process

  • Hit a bunch of consent-related issues this week, some long dormant bugs. Hopefully didn’t break CAS but added a number of fixes there to handle consent better (e.g. it embeds consented IDs like OIDC does so per-session and client-side consent can work).

    • Don’t see a lot of point trying to do this for SAML and it would only be possible in a subset of configs anyway.

Tom

  • FYI Maven 3.8.5 is available

  • Integration tests are now using the installer

Other