2021-02-05

Owned by Ian Young
Last updated: Jul 29, 2021
3 min read

Shibboleth Developer's Meeting, 2021-02-05

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2021-02-19. Any reason to deviate from this?

60 to 90 minute call window.


Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.


AGENDA

  1. AWS permissions
    1. GEN-274 - Getting issue details... STATUS
  2. New Duo plugin release for testing?
  3. 4.1 schedule   ship in March, freeze end of February
    1. when do we need all the JDKs and AMIs in CI ? (Tom)
    2. when do we freeze Jetty ? (Tom)

Attendees:


Brent

  • OSJ-75 - Getting issue details... STATUS
    • This turned out to be very easy
  • OSJ-118 - Getting issue details... STATUS
    • Done, although still chewing over whether should by default support ~30 legacy curves that SunEC currently supports, but which are deprecated and require a system prop in Java 15+. Leaning towards yes.  Relevant Oracle SunEC docs here.
  • OSJ-82 - Getting issue details... STATUS
    • Not quite done on this yet, sidetracked on other things.  All that remains is EncryptionParametersResolver.
  • OSJ-328 - Getting issue details... STATUS
    • Pretty sure Scott is right about race condition.  Actually more worried about the related conditions in LazyList, etc.


Daniel


Henri

  • JOIDC-17 - Getting issue details... STATUS
    • All done: Java, XML-namespaces and profile identifiers
  • JOIDC-22 - Getting issue details... STATUS
    • oauth2-oidc-sdk from 7.1.1 to 8.33 to 9.0
    • nimbus-jose-jwt from 8.8 to 9.4.1
  • JOIDC-19 - Getting issue details... STATUS
  • JOIDC-11 - Getting issue details... STATUS
    • Do we want to support OAuth2 flows not involving end-users?
    • Had a meeting with a member using Shibboleth as IdP and OP, together with an OAuth2 AS
  • Testing plan
    • Make pre-releases of oidc-common and OP
    • Install them via plugin installer (via remote endpoint)
    • Start running OIDC certification tests against the instance

Ian

  • Dependencies
  • Java 16 RC1 is out


John

  • Took another pass at producing a Docker image for SLES. Got further than the first try, but mainly succeeded in discovering subsequent problems to solve.
  • Began adding support for Amazon Linux.

Marvin


Phil

  • Various oidc-common and Duo plugin changes
    • JCOMOIDC-9 - Getting issue details... STATUS  - surfaced oidc-common as a plugin and single module. Created a BOM for import.
    • JCOMOIDC-10 - Getting issue details... STATUS  - bumped oidc-common to the very latest Nimbus libs. Henri completed that work on the OP.
    • JDUO-28 - Getting issue details... STATUS  Move JWT claims validation to a new framework in oidc-common 
    • JDUO-29 - Getting issue details... STATUS  - delegated signature validation functions to oidc-common
  • Asked for help testing the Duo plugin on the Jisc-Shib list - no response yet.


Rod

Working through JIRA


Scott

Also working through JIRA

OSJ-328 - Getting issue details... STATUS

Plugin docs, cleanup

Testing

Tom

  • automation
    • trying to work through task backlog by scripting
      • takes longer now, hopefully pays off later
      • for example :
        • linux : shell script to install Java, OpenJDK, and Coretto of various versions
          • don't really want to commit scripts to parent because that triggers a stack rebuild
        • windows : PoC running commands on Windows via a Jenkins Pipeline

          • Example :

            Jenkins declarative Pipeline 
               agent {
        label 'Windows'
    }

    stages {
        stage('Hello') {
            steps {
                echo 'Hello World'
            }
        }
        stage('Display Java version') {
            steps {
                bat "c:\\opt\\java\\jdk-11\\bin\\java.exe -version"
            }
        }
    }
}
          • would like to try the Windows Installer from the command line
            • need the command line with all the args

            • (RDW) This should do it (I don't want to document this since it then becomes API):

              Runinstallandtest.cmd 
              start /wait msiexec /q /lv* log.log /i IDP-4.0.1.1-x64.msi INSTALL_JETTY=TRUE DNSNAME=idp.example.com IDP_SCOPE=example.scope
cd "c:\program files (x86)\shibboleth\
:loop
timeout /t 11
if not exist idp\logs\idp-process.log goto loop
timeout /t 10
idp\bin\status.bat
echo %ERRORLEVEL%
        • working with AWS CLI to start / stop instances and create images
          • should be possible to automate AMI updates via a Pipeline
        • seems easy enough to run Jenkins locally for testing / development of test themselves
          • only takes a few minutes to add and set up the Amazon EC2 Plugin
  • backlog :
    • consent tests
    • update AMIs (CentOS, RHEL, and Windows)
    • kernel update
    • document how to change your password
    • troubleshoot Henri's Nexus access permissions
    • experiment with --Dsurefire.useFile=false in CI to log errors to console
  • Not real happy about IDP-1660, the consent sort-before-hash issue, dropped the ball on that one

Other