Page Comparison

...

Add items for discussion here

Attendees:

Jira Legacy
server System Jira
serverId f52c7d31-6eab-3f0e-93c3-231b5754d506
key JSATTR-6
- Making good progress. Have some questions for Scott (or others).

Jira Legacy
server System Jira
serverId f52c7d31-6eab-3f0e-93c3-231b5754d506
key JOIDC-227
- Very simple to fix but was time-consuming to find
Jira Legacy
server System Jira
serverId f52c7d31-6eab-3f0e-93c3-231b5754d506
key JOIDC-200
- Jira Legacy
  server System Jira
  serverId f52c7d31-6eab-3f0e-93c3-231b5754d506
  key JOIDC-225
  - New lookup functions serve PAR and JAR (request-object logic) in a thread-safe fashion
- Jira Legacy
  server System Jira
  serverId f52c7d31-6eab-3f0e-93c3-231b5754d506
  key JOIDC-229
  - Previously the invalid scopes have simply been filtered out
Jira Legacy
server System Jira
serverId f52c7d31-6eab-3f0e-93c3-231b5754d506
key JOIDC-231
- Switched the workaround for the Nimbus' resource parameter handling
Jira Legacy
server System Jira
serverId f52c7d31-6eab-3f0e-93c3-231b5754d506
key JOIDC-230

Docker image minor maintenance: AL2/2023, RHEL8/9
Jira Legacy
server System Jira
serverId f52c7d31-6eab-3f0e-93c3-231b5754d506
key SSPCPP-993
- Distilling design notes into Confluence

Jira Legacy
server System Jira
serverId f52c7d31-6eab-3f0e-93c3-231b5754d506
key JWEBAUTHN-29
- Any error when canonicalizing the username input into the registration flow is just ignored. It is only used as a way to indicate if the user has FIDO credentials for the MFA logic to use.
Jira Legacy
server System Jira
serverId f52c7d31-6eab-3f0e-93c3-231b5754d506
key JWEBAUTHN-27
(Dev branch)
- Added customisable policies to accept or reject authenticators that create credentials during registration e.g. authenticator provider allow list
  - Can not yet do this on the supported options (such as UserVerification) of an authenticator in metadata, the metadata spec is wrong and the Yubico libraries are out of synch with it.
- Added customisable ‘Inspectors’ that can inspect the authenticator during registration and record capabilities/properties in the credential that gets stored. For example, this authenticator (software say) should only be allowed as a second factor and not a sole factor.
- Adding a policy engine for rejecting authenticators/credentials being used during authentication e.g. this is a sole factor authentication, but this credential was created by an authenticator that can only be used as a second factor.

Its all about the Jetty plugin.

Bludgeoned (I used the verb advisedly) a bat file to configure jetty as a system service on windows
- Much testing and fine tuning needed
Started the documentation /wiki/spaces/~53427082/pages/3910107152.
- Now is not the time to publish it (I believe)
- I need someone else to write the unix bits
- And review always welcome

SP patch getting closer to ready, Xerces 3.3.0 should be voted out next week or the week after.
- Planning to move the build for Windows up to the latest everything, OpenSSL 3.3.2, etc., so needs more testing than usual.
- OpenSSL 3.3 Windows debug build emits a ton of warnings about corrupt debugging info, not sure what it means.
Unit testing of the new SP’s SAML ACS flow ongoing
- Most of the servlet request access challenges there seem to be solved, required some changes to OpenSAML to bypass some checks and assumptions
- The SP Servlet object injection model is basically a try/finally around a call to set and clear the SP’s thread local servlet objects, so usually the model is to subclass an OpenSAML class, and call doExecute, doDecode, etc. in the try clause.
- Not sure how much I can unit test the artifact binding, maybe something like what CAS tests do with Jetty, not sure.