Shibboleth Developer's Meeting, 2020-06-05
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2020-06-19. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for see ZoomGU for access info.
AGENDA
- PKIX root behavior
Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1583 - Opening up master branches
- Ian Young's thread safety thing, see below
Attendees:
Brent
Daniel
Henri
Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key JOIDC-5 - MDDriven profile configurations working as expected
- Will check with
next weekJira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1608
- Will check with
- Added ClientSecretReferenceKey -element to the schema
- Simple resolver interface extending Resolver<String, CriteriaSet>
- Initial implementation for Properties resource
- How to make it refreshing whenever metadata provider is refreshed?
- Other implementations? Perhaps HTTP (using the approach from HTTP data connector)?
- MDDriven profile configurations working as expected
...
- (Maybe an agenda item) Thread safety is hard:
- Arises through
; full discussion there.Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key MDA-242 - A lot of things we say are
@ThreadSafe
really aren't, although they are mostly@ThreadSafeAfterInit
and other things probably conspire to mean we're probably OK in practice. This makes me uncomfortable. - It's not possible even in principle to make most things truly
@ThreadSafe
because of
.Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key JSPT-97 - We could fix that (and I think we should, see this commit) but that wouldn't address all the issues, just make it possible to do so for cases we care most about.
- Beyond that, I don't think really nailing this down is going to be felt to be worthwhile, but we might want to document some assumptions and change some annotations anyway.
- Arises through
- Building from Docker containers:
iay/shibboleth-build-docker
seems to work
Marvin
Phil
- IdP release using two docker images worked well. The second image was used for building site under JDK14 to fix the search apidocs bug.
- Modified Javadoc plugin seemed to do its job - drawing a line under that for now, and I did not need to swear.
- It can be a bit slow when generating site (Javadoc), just make sure to build inside the container.
- Detailed instructions on Ian's Github page for all these things.
- Duo 2FA OIDC plugin
- I have not provided too much input to Rod's plugin work the past few weeks as just trying to get the flow together.
- Would hope to reengage later on when I actually need it to work as a plugin.
- Using a Spring Controller to handle the external call and callback - a bit like the SAML proxy controller.
- Was debating whether to actually encode the webflow execution key in the State parameter alongside a CSRF type nonce?
- Otherwise stored outside the webflow conversation and inside the HttpSession - assuming the redirect_uri does not become an option i.e. Duo not being strict on dynamic query params.
- Was debating whether to actually encode the webflow execution key in the State parameter alongside a CSRF type nonce?
- I have not provided too much input to Rod's plugin work the past few weeks as just trying to get the flow together.
Rod
- Mdolue instalation stalled for want of hours in a day
- Built VM soley to do windows installer builds
- What to do about Java7/8 on Windows and the multi tests?
- Am about to have to install Visual Studio 2019. Do we want to think about this for SP 3.2 (givn given we that it may impact on our dependencies)
...