Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Shibboleth Developer's Meeting, 2020-12-04

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2020-12-18. Any reason to deviate from this?

60 to 90 minute call window.


Call Details

This week's call will use the Zoom system at GU, see ZoomGU for see ZoomGU for access info.


AGENDA

Add items for discussion here

Attendees:


Brent

  • Jira Legacy
    serverShibboleth JIRA
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId180d847f-bce4-36b2-9964-771bff586829
    keyOSJ-82

    • Did some low-hanging fruit, like XMLObject providers.  Working on modeling KDF-related components.


Daniel


Henri

  • Jira Legacy
    serverShibboleth JIRA
    serverId180d847f-bce4-36b2-9964-771bff586829
    keyJOIDC-20
    • Going through the OP-plugin code related to the attribute/claim resolution/filtering
    • No blockers so far to move token-specific configs from transcoders
  • Jira Legacy
    serverShibboleth JIRA
    serverId180d847f-bce4-36b2-9964-771bff586829
    keyJOIDC-19


Ian

  • xmlsectool v3: GA mid-month, 15th-ish
    • UKf confirms drop-in replacement (modulo Java 8/11, CLI tweaks) on their production HSM
  • IdP V3.last:
    • Jira Legacy
      serverShibboleth JIRA
      serverId180d847f-bce4-36b2-9964-771bff586829
      keyIDP-1720
       (Spring Framework .30 early next week)
    • build environment
    • schedule?
  • Java 16 enters Rampdown Phase One next week
    • Confirmed: 396: Strongly Encapsulate JDK Internals by Default
    • Proposed: 390: Warnings for Value-Based Classes
      • new Integer(73) would move from Deprecated (since Java 9) to Deprecated for Removal
      • Warnings will get louder
      • Full details in https://openjdk.java.net/jeps/390
      • In theory could result in removal in Java 17, which we'd care about. I'd guess not, but who can say.
      • We don't use these a lot outside of tests, and they are easy to fix up except in cases where you're looking for an object with an identity rather than a wrapped primitive. I suspect we don't have any of those, though.


John

  • Still working on driving docker-based SP builds with GNU Make
    • Have individual build steps, incl. Docker images and (S)RPMS, working
    • Expressing dependencies in progress

Marvin


Phil

  • Jira Legacy
    serverShibboleth JIRA
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId180d847f-bce4-36b2-9964-771bff586829
    keyJDUO-22
     - 
    Add a nonce to the authorization request and verify it in the id_token.
    • The Duo OP supports it - seems like best practice to help prevent id_token replay attacks.  
    • Only supported using the alternative Nimbus client.
    • Duo Web SDK does not support setting it - even though they consider it in their validation step.
  • Jira Legacy
    serverShibboleth JIRA
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId180d847f-bce4-36b2-9964-771bff586829
    keyJDUO-23
     - the JWT claims verify can now be injected (hence a custom one can be used). 
    • A default version and base class have been created to satisfy Duo requirements and (for the limited things possible) OIDC requirements.
  • Jira Legacy
    serverShibboleth JIRA
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    serverId180d847f-bce4-36b2-9964-771bff586829
    keyJDUO-24
     - bit weird that, the latest Duo Web SDK requests the auth code as a `duo_code` parameter rather than the OAuth2.0 standard `code`. Broke my stuff.
    • No they only updated the documentation recently, it is a change from the preview version they gave us.


Rod

  • IdP catch up
  • SP windows build maintenance


Scott

  • Jira Legacy
    serverShibboleth JIRA
    serverId180d847f-bce4-36b2-9964-771bff586829
    keyJOIDC-15
    • Continued this work last week fixing problems and adding metadata configuration wiring
  • Jira Legacy
    serverShibboleth JIRA
    serverId180d847f-bce4-36b2-9964-771bff586829
    keyJOIDC-20
  • OpenSSL patch coming next week rated "high" so rushing to finish SP 3.2 work in time for next week
  • New web site was supposed to go live, cert issue delayed it


Tom

  • Thanks Rod for taking on IDP-1660 (consent sorting), will work on tests
  • Keeping tests green
    • Java 8 'hostname' test continues to fail on CentOS7 and RHEL8 but at least is consistent
  • Plan on patching server next week
  • Would like to use the installer for V4 integ tests
  • Long shot, but any chance we could get access to a Microsoft 365 instance ?

Other