/
2020-10-02

2020-10-02

Jul 29, 2021

Shibboleth Developer's Meeting, 2020-10-02

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2020-10-16. Any reason to deviate from this?

60 to 90 minute call window.



Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.



AGENDA

Add items for discussion here

Attendees:



Brent

  • OSJ-324 - Getting issue details... STATUS



Daniel



Henri

  • Drafted the java-oidc-common project with Phil last week

  • Participated to an OIDCfed interoperability event this week

    • Some successful smoke-testing via PoC exploiting a fed-library from NIK-HEF

  • Musing ways to enable (OIDC/OAuth2) feature extensions fluently

    • Some have new endpoints (e.g. Device-flow, PAR), some extend the existing endpoints (e.g. PKCE), ...

    • Keep these in mind while refactoring/repackaging into the new plugin/module



Ian

  • XSTJ-82 - Getting issue details... STATUS


    • In test with selected deployers

    • Wiki space for V3 reorganized, PKCS#11 section rewritten

    • Quick question about parent POM evolution



John



Marvin



Phil

  • JDUO-15 - Getting issue details... STATUS

    • Switched from using custom token verification actions to using the Nimbus claims and signature verification.

      • Perhaps should be made more extensible - although it does meet the 'Duo Spec' on what claims to verify. 

  • JDUO-17 - Getting issue details... STATUS

    • Added a new Nimbus based Duo Client - so you could now run without the native Duo SDK. 

      • Although it temporarily uses the Auth0 library to sign certain JWTs due to the size limitations of the Duo secret key - which Nimbus enforces.

  • Will try out plugin/module usage.



Rod

  • Plugins:

    • Further development on hold pending others playing with it.

    • Working with Scott on implementaion details.

      IDP-1683 - Getting issue details... STATUS
       and 
      IDP-1652 - Getting issue details... STATUS

    • Still an open question around logging vs System.out vs i18N - but this need not be fixed for 4.1

    • Talked to Ian about Nashorn and licensing

      • Made minor changes to the license documents we ship but we are happy that we can ship this under Apache

      • There is an open question about distributing the GraalVM bits

        • We can just bundle them The GraalVM license appears to say this is OK
          We decided to follow this modulo anyone telling that our understanding is wrong.
          We will prefer rhino in our documentation when Java >=15 become important.

        • We can prompt and download during install (which we once thought was a good idea)

        • We can make downloading them into edit-webapp a pre requisitite and blame Oracle's Lawyers
          This will be a fallback

      • I have given up caring. Lets pick one and close this sorry chapter

  • Hitting low and slightly less low hanging JIRA cases

    • Notable I18N and the IdP