2021-08-20
Shibboleth Developer's Meeting, 2021-08-20
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2021-09-03. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
IDP-1853: Remove Javascript dependencies from the IdP distributionClosed (notes under “Rod”)
Flip the default “Nashorn” plugin to be JDK based and leave graal an option. (Notes under “Rod”)
JPAR-182: Check our Distributions for consistencyClosed (Notes under “Rod”)
Deploy to Maven Central (Tom)
proposal : go ahead and deploy to Maven Central as-is, and schedule moving our <repo> to a profile
summary : proposal accepted, will update the OSSRH ticket and give it a week or so
Add items for discussion here
Attendees:
Brent
Java socket server: Some progress integrating Scott’s DDF code for a more realistic proof-of-concept of Spring Integration. Overall, more optimistic that Integration could be the solution.
Daniel
Henri
JOIDC-52: Uncaught exception with the tokens produced by V1/V2 of the extensionClosed
The bug was related to token and userinfo endpoints
The flow tests now improved for all backend OAuth2/OIDC flows dealing with tokens
Some incompatibilities with legacy tokens remain due to consent refactoring before V3, see table (currently restricted, to be added under release notes for 3.0.2)
JOIDC-55: Custom metrics (counters/timers) are not updated with the OIDC-flowsClosed
The custom counters/timers seem to work after adding evaluation of PopulateMetricContext after prc has been initialized
JOIDC-21: Use token authentication for OIDC dynamic client registrationClosed
Once this is done, could also help OIDC RP for the same topic?
Ian
Java 17 RC is out, final RC imminent, GA on 2021-09-14
Proposed to target Java 18: JEP 400: UTF-8 by Default
Debian 11 (Bullseye) released
Includes an up-to-date Java 11.
Includes an earlier EA of Java 17, to be upgraded.
See GEN-281: Evaluate Debian 11 (Bullseye)Closed for details of evaluation.
I think we can add this to the “partially supported” list in Java Distributions | Java Distributions for the Java 11 Platform (but only for Java 11 for now, of course) and call it a day.
John
Discussed Jenkins approaches with Tom
Modest progress on standing up my own Jenkins instance to abuse, hindered by network troubleshooting
Marvin
Phil
Nothing really (holidays)
Started back on JCOMOIDC-23: Add OpenID Provider Configuration Document ResolverOpen yesterday.
Realised I was not on the Users mailing list, and a few questions had gone by about the DuoOIDC plugin. Not sure I can respond retrospectively. I could add some input to two of them via a new mail to the list?
Rod
JavaScript
Supply Chain attack. Hibernate and JBOSS worry me
Dependency on a 8 year old and 3 major versions out of date parser (ANTLR)
Recent, required jars are unsigned.
Do we shake their tree or suck it up? If the latter can someone sign these jars and pop the asc files into our repository)
NOTE that this trick only works for as long as build.shibboleth.net remains definitive for our builds. If we move to a site we don’t own we are back being open to attack at any time. (Modulo hard wired overrides for insecure jars)
Wiki Conversion as a background activity.
Scott
GEN-268: Atlassian Cloud migrationsClosed
https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/2765979673
Will shut off Jira and downsize the server after Sep 1.
Will archive all the Apache configs and remove the old rules, may turn off the SP, EDS, etc.
SP metadata is in InCommon, managed by OSU, will remove after that date.
Tom
Deploy artifacts to Maven Central ? yes
Confirmed changes to artifacts currently in Central (removal of our <repo>s from POMs)
(wrote script to download artifacts from Central under org/opensaml and net/shibboleth and diff with Nexus)
Us or someone else ?
Move <repo> to profile ? maybe, depends
Scheduling ? either parent 4.2 or 5.x
Versioning ?
minor bump to parent POM ? minor bump seems ok
Other