Shibboleth Developer's Meeting, 2021-08-06

Call Administrivia

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2021-08-20. Any reason to deviate from this?

60 to 90 minute call window.

This week's call will use the Zoom system at GU, see ZoomGU for access info.

Schedule for rest of Jira migrations
Handling support issues
@Ian Young : probably time to start thinking about
- Confirmed CentOS 8.5 will (briefly) be a thing, for perhaps a month, around the end of the year.
- Makes sense to migrate in advance of that mess.

Add items for discussion here

Java socket server: Have a very simple telnet echo server using Spring Integration. It’s very slick, everything is declarative using custom Spring XML. Now working on evaluating for overall appropriateness, e.g. performance. Not sure yet on things like the threading model and throughput.
My “fix” for the Bouncy Castle FIPS didn’t pan out b/c it’s actually missing even more classes.

https://issues.shibboleth.net/jira/browse/JOIDC-52
- The tokens produced by V1 and V2 of the extension are not compatible with 3.0.0 and 3.0.1
- Fix seems to be simple. The flow tests need to be improved to make sure this won’t happen again.
https://issues.shibboleth.net/jira/browse/JOIDC-53
- “Do not remember consent” option doesn’t work with the backend flows if encodeConsentInTokens is not enabled
- Could there be a way to exploit consent options outside the attribute-release flow?
Patch release next week with JOIDC-49 and JOIDC-52

Initial Java 17 release candidate expected any day now.
Debian 11 (Bullseye) expected 2021-08-14 or thereabouts.
- See
- I’m assuming we want to treat it the same as Debian 10 (smoke test, then add to https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1177321655 as “partially supported” for the Java 11 platform).
- I plan to pick it up when released to make sure there are no surprises (last time, interesting random source behaviour broke things).
Observation: Debian has a peculiar support lifecycle, in which there’s an initial end-of-support date on which responsibility for security patches passes to another team. For Debian 9 this was on 2020-07-18. That “long term support team” supports Debian 9 until 2022-06-30. Which date do we want to use to remove it from our list? NB: as Debian 9 only shipped with Java 8, this isn’t relevant for IdP V4 so it’s really mostly a question about policy for the future.

Managed to get Fargate wired up to EFS to run a test build, and not much else. Coordinating with Tom Z. to discuss options for a Jenkins DEV instance, and pipeline approaches.

Rebased our patched maven-javadoc-plugin on V3.3.0 of the official plugin.
- Probably not a good long-term solution. I might have to get into the weeds again to try and get them to incorporate a proper fix.
Added a unit and flow test for loading classpath* resources to the IdP.
They fixed an NPE, but it is not likely to occur in practice. So I do not think there is a rush to release a new version - although I guess there is no harm in doing so.
- Will wait for them to do their dependency updates before deciding what to do.
More in-depth work on:
- Discussed with Henri, made the transition, now needs looking at - have asked Henri for a sanity check.
- Pretty much a FunctionDrivenDynamicHTTPMetadataResolver but tied to an OIDCProviderMetadata result. Is pretty involved, I seem to be mostly copying the HTTPMetadataResolver stuff over to OIDC objects in JSON. If that makes sense I will keep going, but maybe that is not a good idea.
Also Out on Vacation and AFI 9-Aug to 13-Aug - but not with Rod.

Migration obviously
- Wiki “style guide” TBD to capture all the bugs and problems we have to step around
IdP regression