Shibboleth Developer's Meeting, 2024-05-17

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-06-07. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

Add items for discussion here

Attendees:

Brent

• Nothing.

Daniel

Henri

• JOIDC-201 - Getting issue details... STATUS

  • JCOMOIDC-113 - Getting issue details... STATUS

  • Basic DPoP access token use case more or less covered now with token and userinfo

    • If public key thumbprint is stored inside our token claims sets, DPoP access tokens are issued

      • thumbprint may be fetched in PAR or authorize -flows, or via DPoP proof

    • Profile configuration option to control requirements & claims validators

  • TODO

    • nonce-management

    • refresh token binding (public clients)

    • introspection and revocation support

• JCOMOIDC-115 - Getting issue details... STATUS

  • Upgrade is needed for the DPoP metadata-flag support: https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/467/support-for-dpop_bound_access_tokens-in

  • Before upgrade, we need a solution for a problem described in: https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/438/non-uri-resource-indicators

Ian

• May need to miss meeting, I have some people coming to fix our drains…

• MDA 0.10.0 released. Huzzah!

  • Some downstream work to be done before I’m really finished.

  • main is now 1.0.0-SNAPSHOT and there’s a maint-0.10 branch.

  • I don’t see value at present in nightly and multi jobs on the maintenance branch, but will create them if needed.

• New Spring Framework releases (including a new 6.2 milestone) available, will integrate those.

• Next up after that: Git conversion of the Santuario repository

John

Marvin

Phil

• JWEBAUTHN-12 - Getting issue details... STATUS

  • Add a guard to check a user who has already registered a webauthn credential can not by to register a new webauthn credential is

Rod

• Nothing

Scott

• Example script to report on project status based on a CSV file

  • http://shibboleth.net/cgi-bin/projstatus.cgi

• SP design and prototyping

• Conceptual model is visable in https://git.shibboleth.net/view/?p=java-plugin-shibd.git;a=blob;f=sp-conf-impl/src/main/resources/net/shibboleth/idp/module/conf/sp/agents.xml;h=6f5f1171a2ca15130f8cd009a0eee2e7e678428d;hb=HEAD

  • Agents have a unique ID and contain Applications.

    • Agents will be associated with some form of identity/credential to secure requests.

    • Applications have an ID that is unique within a given agent and expose a RelyingPartyConfigurationResolver to resolve the correct RPC and PC for a request.

  • Every layer allows override of the agent’s entityID, client_id, etc. The protocol identity is thus maintained solely in shibd and is no longer a concern of the agent. The shibd deployer is the one that associates Applications with protocol settings and ensures metadata given to IdPs, if it’s needed, is correct.

  • Pluggable rules control the virtual hosts associated with an agent/application, similar to what supporting unregistered OIDC clients might look like.

Tom

Other