...
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JSSH-16 Plan on pushing all the updated projects early next week.
All IdP stack + metadata aggregator (just a runtime dep). Missing anything?
Likely some minor odd/ends left, but get the major bits of the refactor into main branches.
Anyone else planning any big commits in that timeframe? We should coordinate to avoid stepping on one another.
Hit a couple of unknown (to me) aspects of HttpClient, interesting to note for the future.
Unconditional retries of failed connections over all resolved DNS entries for hostname, where “failed” includes a TLS handshake failure.
We effectively disable connection pooling reuse in our HttpClientBuilder by default via use of RequestConnectionClose interceptor.
Our TrustEngine-based TLS fails on second and subsequent requests unless this is enabled. Need to see if there is a way to address this.
Were we ever expecting to need or want HTTP/2 support? The HC classic client does not support and “
most likely never will
” per the HC developer.
Daniel
Conflict today, cannot attend.
Henri
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JCOMOIDC-41 Global exclusion now works and tested for signature validation
Decryption configuration seems to work, but request object logic needs to be improved (see below)
Working on signature signing tests (id_token, JWT access token, userinfo) - spotted one bug with EC keys
Encryption tests with varying configurations still totally missing
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JOIDC-142 So far OP has only supported the use of RP metadata for security configuration
OP should also exploit the new predicates used by RP (force use of request objects, signing and encryption)
We should also support forcing specific attributes to be included in the request object
Ian
John
Marvin
Phil
Extra tests and cleanup for the RP
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JCOMOIDC-65 The config module is now fully operational as a plugin —I needed to add sub-modules so the assembly of the tar.gz made sense
Basic wiki page up
Added include and exclude algorithm checks to the trust engine. The others had it and I forgot.
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JCOMOIDC-48 This is working out of the config module.
I’ve installed all three plugins (commons, config, and RP) into my running IdP and it is working fine.
I will install the OP snapshot as well to check.
Will release RP 0.10.0 today or Monday, and will host snapshots of oidc-commons and oidc-config on the downloads site (as before, but now with the config).
Nimbus fixed their truncation bug, so I’ve updated commons to the latest version
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JDUO-65
Rod
Unable to attend
Primarily
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key IDP-2069 Use the recommended setting from https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1122271670/Configuring+Eclipse#Recommended-Configuration and on a sub project by sub project basis remove all the red (errors) and take a preliminary pass at the yellow (warning)
Not spending much/any time on test code right now
Making notes in the case of any oddities I encounter or leitmotifs (
Instant.now()
is an example of ‘I know it’s non null but eclipse doesn’t’Currently up to cas-impl
...
Jenkins
Created jobs for :
Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key GEN-319 Jira Legacy server System JIRA serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key GEN-321 but no
-multi
jobs - do we need those too ?
Updated Linux and Windows AMIs
When should we start using Maven 3.9.0 ?
spent most time scripting installers, which we have for :
all the necessary versions of Oracle Java and Amazon Coretto
Maven
webdrivers : geckodriver and chromedriver*
* no signature
why is TLS trust not sufficient, remind me ?on Linux and Windows
private repo tzeller/java-parent-project
Suggestion : PGP KEYS files should be prefixed with the project, e.g.
SHIBBOLETH-KEYS
MAVEN-KEYS
GECKODRIVER-KEYS
etc. or some other naming convention
I know Rod’s out but it might be nice if the IdP (or I guess SP) installer could download and validate updates :
e.g. bin/install.sh --download-latest-version-and-validate-signature