Shibboleth Developer's Meeting, 2021-07-02

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2021-07-16. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Atlassian provisioning options.

Attendees:

Brent

• Back from vacation. No progress to report. Next up is continuing to look at the Java socket server question.

Daniel

Henri

• JOIDC-21 - Getting issue details... STATUS

  • High-level planning at: OIDC registration endpoint planning

  • Functional PoC for the admin flow & CLI

  • Access token encoding/encryption: the current method used for Authz codes and access/refresh tokens rely unnecessarily to Nimbus

Ian

• Java 17: now being tested in -multi jobs; all seems well.

  • Nashorn 15.3: "The most notable change is that Nashorn now works with JDK 17.", see see https://twitter.com/OpenJDK/status/1410603091490054166

  • This is something to do with Unsafe.defineAnonymousClass I think, not clear why we aren't seeing issues in -multi jobs.

• SKS (PGP/GPG) keyservers are defunct (RTBF/GDPR, apparently). Acronyms much?

John

• Not much to report. Started to look at AWS container options for cloudifying cpp-linbuild.

Marvin

Phil

• JDUO-47 - Getting issue details... STATUS
   added test, fixed, and deployed 1.1.1 of the Duo plugin

• Maven cleanup

  • JPAR-178 - Getting issue details... STATUS
     - we can get rid of our patched one from Nexus.

  • JPAR-176 - Getting issue details... STATUS
     - thanks to the work Scott put in, I think this is done, other than testing (and some possible adjustment of server-side scripts) during a release.

• OIDC-RP

  • Slow progress, hopefully have more time now the Maven stuff is done.

  • Spent a small amount of time on Webfinger for OP discovery - can not see much support for this. 

    • The plugin probably should provide some support? to support OP discovery on the flow (like SAML proxying does with IdP disco).

    • Strategy-based lookup for now.

• Test

Rod

• 'test' to check against our poms is complete and in place.  @Scott Cantormade some changes to our parent pom.

• 'test' to check war contents signing is ongoing.

• We are going to have to have a conversation about jar signing & supply chain attacks.  

Scott

• Started wiki migration, member pages "in production"

• JPAR-175 - Getting issue details... STATUS

• JPAR-176 - Getting issue details... STATUS

• A few more 4.2 odds and ends

Tom

• Regrets - will miss call

• Green lights on browser tests

  • Run latest-browsers vs latest-Jetty vs IdP-latest and IdP-next nightly ?

    • don't need to re-run tests against static versions

    • Sauce Labs tests are slower than local headless Firefox

Open

Other