Shibboleth Developer's Meeting, 2021-12-03

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2021-12-17. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Santuario / Jakarta move → looks like 2.1 may be sunsetting pretty quickly, trying to get confirmation on a date

2. OIDC / OAuth coordination

3. (RDW) M2 verification is now on for IdP nightly build. Still outstanding (before we discuss other attacks)

   1. Process for accepting new certs - we have such a case outstanding for net.minidev:json-smart:2.4.7

   2. A plan for what to do if we do discover a forgery.

Attendees:

Brent

Daniel

Henri

• https://shibboleth.atlassian.net/browse/JCOMOIDC-25

  • Related to the agenda item “Process for accepting new certs”

• https://shibboleth.atlassian.net/browse/JCOMOIDC-28

  • JSON parsing via Jackson

  • Should now be compliant with the OIDCfed draft, including unit tests

• https://shibboleth.atlassian.net/browse/JOIDC-61

Ian

• https://shibboleth.atlassian.net/browse/MDA-266

John

Marvin

Phil

• JPAR-178 - Getting issue details... STATUS updated this. Seems OK - at least for now.

• Working on RP:

  • Profile configuration hookup (OIDC.SSO for now)

  • Message Encoders. Proposed to borrow the ideas used in the SpringAwareMessageEncoderFactory but for OAuth ResponseModes and RP authn request. In JCOMOIDC-27 - Getting issue details... STATUS

• Work on commons:

Rod

• https://shibboleth.atlassian.net/browse/SSPCPP-947

• https://shibboleth.atlassian.net/browse/JPAR-190

Scott

• SP 3.3

  • Would be nice to figure out if it’s “safe” to build these on an M1 Mac at some point.

  • Package signing was an issue, ended up tunnelling GPG up to the server after uploading

    • Maybe look at doing the signing from within the Docker images somehow? Probably pretty hard to pull off.

  • Already one minor bug in the deprecation logging, waiting for more bugs before I release a patch.

• Started reviewing code for OAuth client_credentials grant and JWT token work

  • General comment: there’s a ton of very complex machinery and token bloat built around the “avoid resolving some attributes on the backchannel” issue. We never even bothered to deal with this in SAML and it was never that big a concern that I’m aware of…was this a big enough concern to warrant all that effort and technical debt? Maybe moot I guess.

Tom

Other