...
Santuario / Jakarta move → looks like 2.1 may be sunsetting pretty quickly, trying to get confirmation on a date
OIDC / OAuth coordination
Inc. OP package name transfer to oidc-common for profile config. Which versions and when.
Features in the OP which requires the metadata resolver work in odic-common
(RDW) M2 verification is now on for IdP nightly build. Still outstanding (before we discuss other attacks)
Process for accepting new certs - we have such a case outstanding for
net.minidev:json-smart:2.4.7
A plan for what to do if we do discover a forgery.
Attendees:
Brent
https://shibboleth.atlassian.net/browse/IDP-1870
Coding done, just final live testing to do.
Will be out next meeting on Dec 17, so will need to use Scott’s Zoom, etc
Daniel
Henri
https://shibboleth.atlassian.net/browse/JCOMOIDC-25
Related to the agenda item “Process for accepting new certs”
https://shibboleth.atlassian.net/browse/JCOMOIDC-28
JSON parsing via Jackson
Should now be compliant with the OIDCfed draft, including unit tests
https://shibboleth.atlassian.net/browse/JOIDC-61
Some fine-tunings needed to the resolvers / caches, co-operating with Phil
Ian
...
https://shibboleth.atlassian.net/browse/JPAR-178 updated this. Seems OK - at least for now.
Working on RP:
Profile configuration hookup (OIDC.SSO for now)
Message Encoders. Propose to borrow the ideas used in the SpringAwareMessageEncoderFactory but for OAuth ResponseModes and RP authn request. In https://shibboleth.atlassian.net/browse/JCOMOIDC-27
Work on commons:
Henri has ideas on how to improve the metadata resolver work, so I will revisit some of that.
https://shibboleth.atlassian.net/browse/JCOMOIDC-21 - move some of the OP profile configuration stuff into oidc-common. Some is needed by the RP. Added timescales to the agenda on what gets released when and how the changeover in the OP happens.
https://shibboleth.atlassian.net/browse/JCOMOIDC-26 - need to check JWT validation API is suitable for upcoming use cases.
Other:
Maybe look to switch the default CSRF validation predicate to use a constant-time algorithm. Although the predicate is injectable and I am not sure adds much in our case.
...