Page Comparison

...

1. Santuario / Jakarta move → looks like 2.1 may be sunsetting pretty quickly, trying to get confirmation on a date

2. OIDC / OAuth coordination

   1. Inc. OP package name transfer to oidc-common for profile config. Which versions and when.

   2. Features in the OP which requires the metadata resolver work in odic-common

3. (RDW) M2 verification is now on for IdP nightly build. Still outstanding (before we discuss other attacks)

   1. Process for accepting new certs - we have such a case outstanding for net.minidev:json-smart:2.4.7

   2. A plan for what to do if we do discover a forgery.

Attendees:

Brent

• https://shibboleth.atlassian.net/browse/IDP-1870

  • Coding done, just final live testing to do.

• Will be out next meeting on Dec 17, so will need to use Scott’s Zoom, etc

Daniel

Henri

• https://shibboleth.atlassian.net/browse/JCOMOIDC-25

  • Related to the agenda item “Process for accepting new certs”

• https://shibboleth.atlassian.net/browse/JCOMOIDC-28

  • JSON parsing via Jackson

  • Should now be compliant with the OIDCfed draft, including unit tests

• https://shibboleth.atlassian.net/browse/JOIDC-61

  • Some fine-tunings needed to the resolvers / caches, co-operating with Phil

Ian

• https://shibboleth.atlassian.net/browse/MDA-266

...

• https://shibboleth.atlassian.net/browse/JPAR-178 updated this. Seems OK - at least for now.

• Working on RP:

  • Profile configuration hookup (OIDC.SSO for now)

  • Message Encoders. Proposed Propose to borrow the ideas used in the SpringAwareMessageEncoderFactory but for OAuth ResponseModes and RP authn request. In https://shibboleth.atlassian.net/browse/JCOMOIDC-27

• Work on commons:

  • Henri has ideas on how to improve the metadata resolver work, so I will revisit some of that.

  • https://shibboleth.atlassian.net/browse/JCOMOIDC-21 - move some of the OP profile configuration stuff into oidc-common. Some is needed by the RP. Added timescales to the agenda on what gets released when and how the changeover in the OP happens.

  • https://shibboleth.atlassian.net/browse/JCOMOIDC-26 - need to check JWT validation API is suitable for upcoming use cases.

• Other:

  • Maybe look to switch the default CSRF validation predicate to use a constant-time algorithm. Although the predicate is injectable and I am not sure adds much in our case.

Rod

• https://shibboleth.atlassian.net/browse/SSPCPP-947

• https://shibboleth.atlassian.net/browse/JPAR-190

...

• Please configure your Maven user settings ~/.m2/settings.xml according to Configuration on Setting Up, Configuring, and Using Maven
  To prepare for :

  • https://shibboleth.atlassian.net/browse/JPAR-197

  • https://shibboleth.atlassian.net/browse/GEN-299

    • Scott : could use help with redirects

    • Ian : could you monitor the new Maven URLs URL https://build.shibboleth.net/maven please ?
      

...