Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJSSH-16

    • Plan on pushing all the updated projects early next week.

      • All IdP stack + metadata aggregator (just a runtime dep). Missing anything?

      • Likely some minor odd/ends left, but get the major bits of the refactor into main branches.

      • Anyone else planning any big commits in that timeframe? We should coordinate to avoid stepping on one another.

    • Hit a couple of unknown (to me) aspects of HttpClient, interesting to note for the future.

      • Unconditional retries of failed connections over all resolved DNS entries for hostname, where “failed” includes a TLS handshake failure.

      • We effectively disable connection pooling reuse in our HttpClientBuilder by default via use of RequestConnectionClose interceptor.

        • Our TrustEngine-based TLS fails on second and subsequent requests unless this is enabled. Need to see if there is a way to address this.

    • Were we ever expecting to need or want HTTP/2 support? The HC classic client does not support and “most likely never will” per the HC developer.

Daniel

  • Conflict today, cannot attend.

Henri

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJCOMOIDC-41

    • Global exclusion now works and tested for signature validation

    • Decryption configuration seems to work, but request object logic needs to be improved (see below)

    • Working on signature signing tests (id_token, JWT access token, userinfo) - spotted one bug with EC keys

    • Encryption tests with varying configurations still totally missing

  • Jira Legacy
    serverSystem JIRA
    serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506
    keyJOIDC-142

    • So far OP has only supported the use of RP metadata for security configuration

    • OP should also exploit the new predicates used by RP (force use of request objects, signing and encryption)

    • We should also support forcing specific attributes to be included in the request object

...