Shibboleth Developer's Meeting, 2021-02-05

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2021-02-19. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

AWS permissions
1. GEN-274 - Getting issue details... STATUS
New Duo plugin release for testing?
4.1 schedule ship in March, freeze end of February
1. when do we need all the JDKs and AMIs in CI ? (Tom)
2. when do we freeze Jetty ? (Tom)

Attendees:

Brent

OSJ-75 - Getting issue details... STATUS
- This turned out to be very easy
OSJ-118 - Getting issue details... STATUS
- Done, although still chewing over whether should by default support ~30 legacy curves that SunEC currently supports, but which are deprecated and require a system prop in Java 15+. Leaning towards yes. Relevant Oracle SunEC docs here.
OSJ-82 - Getting issue details... STATUS
- Not quite done on this yet, sidetracked on other things. All that remains is EncryptionParametersResolver.
OSJ-328 - Getting issue details... STATUS
- Pretty sure Scott is right about race condition. Actually more worried about the related conditions in LazyList, etc.

Daniel

Henri

JOIDC-17 - Getting issue details... STATUS
- All done: Java, XML-namespaces and profile identifiers
JOIDC-22 - Getting issue details... STATUS
- oauth2-oidc-sdk from 7.1.1 to 8.33 to 9.0
- nimbus-jose-jwt from 8.8 to 9.4.1
JOIDC-19 - Getting issue details... STATUS
JOIDC-11 - Getting issue details... STATUS
- Do we want to support OAuth2 flows not involving end-users?
- Had a meeting with a member using Shibboleth as IdP and OP, together with an OAuth2 AS
Testing plan
- Make pre-releases of oidc-common and OP
- Install them via plugin installer (via remote endpoint)
- Start running OIDC certification tests against the instance

Ian

Dependencies
Java 16 RC1 is out

John

Took another pass at producing a Docker image for SLES. Got further than the first try, but mainly succeeded in discovering subsequent problems to solve.
Began adding support for Amazon Linux.

Marvin

Phil

Various oidc-common and Duo plugin changes
- JCOMOIDC-9 - Getting issue details... STATUS - surfaced oidc-common as a plugin and single module. Created a BOM for import.
- JCOMOIDC-10 - Getting issue details... STATUS - bumped oidc-common to the very latest Nimbus libs. Henri completed that work on the OP.
- JDUO-28 - Getting issue details... STATUS Move JWT claims validation to a new framework in oidc-common
- JDUO-29 - Getting issue details... STATUS - delegated signature validation functions to oidc-common
Asked for help testing the Duo plugin on the Jisc-Shib list - no response yet.

Rod

Working through JIRA

Scott

Also working through JIRA

OSJ-328 - Getting issue details... STATUS

Plugin docs, cleanup

Testing

Tom

automation
- trying to work through task backlog by scripting
  - takes longer now, hopefully pays off later
  - for example :
    - linux : shell script to install Java, OpenJDK, and Coretto of various versions
      - don't really want to commit scripts to parent because that triggers a stack rebuild
    - windows : PoC running commands on Windows via a Jenkins Pipeline
      - Example :
        
        Jenkins declarative Pipeline Expand source
        
        agent { label 'Windows' } stages { stage('Hello') { steps { echo 'Hello World' } } stage('Display Java version') { steps { bat "c:\\opt\\java\\jdk-11\\bin\\java.exe -version" } } } }
      - would like to try the Windows Installer from the command line
        need the command line with all the args
        (RDW) This should do it (I don't want to document this since it then becomes API):
        
        Runinstallandtest.cmd Expand source
        
        start /wait msiexec /q /lv* log.log /i IDP-4.0.1.1-x64.msi INSTALL_JETTY=TRUE DNSNAME=idp.example.com IDP_SCOPE=example.scope cd "c:\program files (x86)\shibboleth\ :loop timeout /t 11 if not exist idp\logs\idp-process.log goto loop timeout /t 10 idp\bin\status.bat echo %ERRORLEVEL%
    - working with AWS CLI to start / stop instances and create images
      - should be possible to automate AMI updates via a Pipeline
    - seems easy enough to run Jenkins locally for testing / development of test themselves
      - only takes a few minutes to add and set up the Amazon EC2 Plugin
backlog :
- consent tests
- update AMIs (CentOS, RHEL, and Windows)
- kernel update
- document how to change your password
- troubleshoot Henri's Nexus access permissions
- experiment with --Dsurefire.useFile=false in CI to log errors to console
Not real happy about IDP-1660, the consent sort-before-hash issue, dropped the ball on that one

Other

Browser not supported