...
Santuario / Jakarta move → looks like 2.1 may be sunsetting pretty quickly, trying to get confirmation on a date
OIDC / OAuth coordination
Inc. OP package name transfer to oidc-common for profile config. Which versions and when.
Features in the OP which requires the metadata resolver work in odic-common
(RDW) M2 verification is now on for IdP nightly build. Still outstanding (before we discuss other attacks)
Process for accepting new certs - we have such a case outstanding for
net.minidev:json-smart:2.4.7A plan for what to do if we do discover a forgery.
Attendees:
Brent
https://shibboleth.atlassian.net/browse/IDP-1870
Coding done, just final live testing to do.
Will be out next meeting on Dec 17, so will need to use Scott’s Zoom, etc
Daniel
Henri
https://shibboleth.atlassian.net/browse/JCOMOIDC-25
Related to the agenda item “Process for accepting new certs”
https://shibboleth.atlassian.net/browse/JCOMOIDC-28
JSON parsing via Jackson
Should now be compliant with the OIDCfed draft, including unit tests
https://shibboleth.atlassian.net/browse/JOIDC-61
Some fine-tunings needed to the resolvers / caches, co-operating with Phil
Ian
John
Marvin
Phil
https://shibboleth.atlassian.net/browse/JPAR-178 updated this. Seems OK - at least for now.Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JPAR-178 Working on RP:
Profile configuration hookup (OIDC.SSO for now)
Message Encoders. Proposed Propose to borrow the ideas used in the SpringAwareMessageEncoderFactory but for OAuth ResponseModes and RP authn request. In
Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JCOMOIDC-27
Work on commons:
Work on commons:
Henri has ideas on how to improve the metadata resolver work, so I will revisit some of that.
https://shibboleth.atlassian.net/browse/JCOMOIDC-21 - move some of the OP profile configuration stuff into oidc-common. Some is needed by the RP. Added timescales to the agenda on what gets released when and how the changeover in the OP happens.
https://shibboleth.atlassian.net/browse/JCOMOIDC-26 - need to check JWT validation API is suitable for upcoming use cases.
Other:
Maybe look to switch the default CSRF validation predicate to use a constant-time algorithm. Although the predicate is injectable and I am not sure adds much in our case.
Rod
...
SP 3.3
Would be nice to figure out if it’s “safe” to build these on an M1 Mac at some point.
Package signing was an issue, ended up tunnelling GPG up to the server after uploading
Maybe look at doing the signing from within the Docker images somehow? Probably pretty hard to pull off.
Already one minor bug in the deprecation logging, waiting for more bugs before I release a patch.
Started reviewing code for OAuth client_credentials grant and JWT token work
General comment: there’s a ton of very complex machinery and token bloat built around the “avoid resolving some attributes on the backchannel” issue. We never even bothered to deal with this in SAML and it was never that big a concern that I’m aware of…was this a big enough concern to warrant all that effort and technical debt? Maybe moot I guess.
Tom
Please configure your Maven user settings
~/.m2/settings.xmlaccording to Configuration on Setting Up, Configuring, and Using Maven
To prepare for :https://shibboleth.atlassian.net/browse/GEN-299
Scott : could use help with redirects
Ian : could you monitor the new Maven URL
https://build.shibboleth.net/mavenplease ?