January 2023 Update

Created by Scott Cantor
Feb 09, 2023
2 min read

We are back from the holiday break and back at it.

I released a quick-turnaround SP V3.4.1 patch this evening, primarily as a vehicle to distribute a precautionary change to our libraries to block the primary attack vector that led to the advisory against the Java side of the project a couple of weeks ago. I spent a number of hours testing and analyzing code and while I concluded that for a few reasons, some accidental, the SP is not vulnerable to the exact issue reported, it was best to lock things down more aggressively and prevent something unexpected. A couple of other backlogged items were included in this patch. As I did last time, both x64 and ARM packages were published.

We have essentially finished work on IdP V4.3.0 and the release should be next week. We’re waiting on the next Spring 5 update so we can include it. This should wrap up work on the V4 branch and allow us to move full time to working on the main branch of the IdP and the libraries as we work on V5 and on the SP redesign in parallel. The SP may never ship on that codebase but we will be continuing to refactor and adjust things in support of that work so that they eventually ship on the same foundation.

Upgrades to 4.3 from anything recent will be very trivial, but one of the warnings we added is going to be a significant and necessary adjustment (though a very simple/mechanical one) for V5 compatibility. The ReleaseNotes already make a note of it. We will also be denoting the older Duo and OP plugin releases as “incompatible” with 4.3 so that we can encourage people to upgrade those to the recent versions. This is not a strictly technical requirement, but a pragmatic one, as the older versions will spit out a number of warnings that are easily avoided by just freshening the plugins along with the IdP upgrade.

Something I want to note is that I was mistaken in the past in both these updates and some public statements about Spring 5’s EOL date, which is NOT 2023 but rather 2024. So there is not a huge amount of urgency to get V5 out the door, and aiming for mid-year is both a realistic development goal and provides a full 18 months of time to upgrade (for something that isn’t likely to be a complex upgrade to begin with).

The OIDC RP plugin is basically done, more or less, but we will be completing the new JOSE security classes and moving the OP plugin over to them so that we can release the RP, OP, and updated Commons plugins at the same time. Right now, the OP and RP can’t really co-exist and that is being corrected. There will likely always be some lockstep involved in updating all those components and getting the first set out that co-exist will be a major milestone. Once that’s done we can take a step back and start planning out the future of the OP codebase and prioritizing future work there with our development partners.