Shibboleth Developer's Meeting, 2021-02-05

Brent

• Jira Legacy
  server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-75

  
  
  • This turned out to be very easy

• Jira Legacy
  server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-118

  • Done, although still chewing over whether should by default support 30 ~30 legacy curves that SunEC currently supports, but which are deprecated and require a system prop in Java 15+. Leaning towards yes.  Relevant Oracle SunEC docs here.

• Jira Legacy
  server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-82

  • Not quite done on this yet, sidetracked on other things.  All that remains is EncryptionParametersResolver.

• Jira Legacy
  server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-328

  • Pretty sure Scott is right about race condition.  Actually more worried about the related conditions in LazyList, etc.

...

• Jira Legacy
  server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key JOIDC-17

  • All done: Java, XML-namespaces and profile identifiers

• Jira Legacy
  server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key JOIDC-22

  • oauth2-oidc-sdk from 7.1.1 to 8.33 to 9.0
  • nimbus-jose-jwt from 8.8 to 9.4.1

• Jira Legacy
  server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key JOIDC-19

• Jira Legacy
  server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key JOIDC-11

  • Do we want to support OAuth2 flows not involving end-users?
  • Had a meeting with a member using Shibboleth as IdP and OP, together with an OAuth2 AS
• Testing plan
  • Make pre-releases of oidc-common and OP
  • Install them via plugin installer (via remote endpoint)
  • Start running OIDC certification tests against the instance

Ian

• Dependencies
• Java 16 RC1 is out

John

• Took another pass at producing a Docker image for SLES. Got further than the first try, but mainly succeeded in discovering subsequent problems to solve.
• Began adding support for Amazon Linux.

Marvin

Phil

• Various oidc-common and Duo plugin changes

  • Jira Legacy
    server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key JCOMOIDC-9

     - surfaced oidc-common as a plugin and single module. Created a BOM for import.

  • Jira Legacy
    server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key JCOMOIDC-10

     - bumped oidc-common to the very latest Nimbus libs. Henri completed that work on the OP.

  • Jira Legacy
    server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key JDUO-28

     Move JWT claims validation to a new framework in oidc-common 

  • Jira Legacy
    server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key JDUO-29

     - delegated signature validation functions to oidc-common
• Asked for help testing the Duo plugin on the Jisc-Shib list - no response yet.

...

• automation
  • trying to work through task backlog by scripting
    • takes longer now, hopefully pays off later
    • for example :
      • linux : shell script to install Java, OpenJDK, and Coretto of various versions
        
        • don't really want to commit scripts to parent because that triggers a stack rebuild
      • windows : PoC running commands on Windows via a Jenkins Pipeline

        • Example :

          Code Block
          language groovy title Jenkins declarative Pipeline collapse true
          agent { label 'Windows' } stages { stage('Hello') { steps { echo 'Hello World' } } stage('Display Java version') { steps { bat "c:\\opt\\java\\jdk-11\\bin\\java.exe -version" } } } }

          
          

        • would like to try the Windows Installer from the command line
          • need the command line with all the args

          • (RDW) This should do it (I don't want to document this since it then becomes API):

            Code Block
            language bash title Runinstallandtest.cmd collapse true
            start /wait msiexec /q /lv* log.log /i IDP-4.0.1.1-x64.msi INSTALL_JETTY=TRUE DNSNAME=idp.example.com IDP_SCOPE=example.scope cd "c:\program files (x86)\shibboleth\ :loop timeout /t 11 if not exist idp\logs\idp-process.log goto loop timeout /t 10 idp\bin\status.bat echo %ERRORLEVEL%

            
            

      • working with AWS CLI to start / stop instances and create images
        • should be possible to automate AMI updates via a Pipeline
      • seems easy enough to run Jenkins locally for testing / development of test themselves
        • only takes a few minutes to add and set up the Amazon EC2 Plugin
• backlog :
  • consent tests
  • update AMIs (CentOS, RHEL, and Windows)
  • kernel update
  • document how to change your password
  • troubleshoot Henri's Nexus access permissions
  • experiment with --Dsurefire.useFile=false in CI to log errors to console
• Not real happy about IDP-1660, the consent sort-before-hash issue, dropped the ball on that one

...