...
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 20232024-121-155. Any reason to deviate from this?
...
This week's call will use the Zoom system at OSU, see http://shibboleth.net/pipermail/dev/2023-December/011148.html for access info.
AGENDA
...
Javascript encoding - any simpler alternatives to OWASP?
Plugin testing - per IDP-1712
Attendees:
Brent
I’m on vacation this meeting and also next meeting, assuming it’s still Fri Jan 5 (back at work on Mon Jan 8 )
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key OSJ-391 Done unless we find any issues
Scott will review usage of the relevant class to understand how we might provide a simple means of adjusting things for deployers (if there isn’t already one).
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key OSJ-392 Nominally done. Will do some final review and possibly some more unit tests in early Jan.
Daniel
Henri
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JOIDC-186 Drafted an approach that seems to work:
Refresh token type in profile configuration
Token endpoint can be wired with a customisable Map of functions (keyed with refresh token type) that encode RefreshTokenClaimsSet into whatever String
Validating endpoints (token, introspection, revocation) can be wired with a list of functions that decode String back to RefreshTokenClaimsSet
Ian
John
Nothing of substance to report.
Marvin
Phil
Just working on the WebAuthn plugin
Working registration and authentication
The code is a mess. Still not looked in detail about storage API implementations
Thinking about the different use cases:
Passkeys (discoverable credentials). No username, select credential on the authenticator and send that back to the IdP. Requires ResidentKey, and authentication I think requires UserVerification (UV) and UserPresence (UP) checks. Working
Passwordless. Username initial input. Does not require ResidentKey, but still requires UP check and UV. Works, but I do not have an initial username input page yet.
2FA. Run after a previous factor. Does not require ResidentKey, requires UP check but not UV. It does not set this options correctly, currently (although shouldn’t be hard to signal this).
The plugin bundle is working, although it contains a ‘selection’ view-page to choose between keys or password which probably is not needed in the final product, need to think about that.
Maybe make something alpha more public mid Jan.
Rod
Nothing.
Been thinking about plugin/IdP version testing
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key IDP-1712
Scott
5.1 backlog
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key IDP-2057 Works, but so ugly, this is why I never tried it until now.
Some review of Duo as passwordless solution, still have to mock that up
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key IDP-2212 This is a repeat of something Spring supposedly fixed, and I haven’t reasoned out a likely cause for a 5.0 system now to exhibit it, hoping reporter comes back with something.
Tom
thanks ScottJira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key IDP-2175
still needs tests
jenkinsfile “strategy” needs reviewJira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key IDP-1712