2022-02-18

 

Shibboleth Developer's Meeting, 2022-02-18

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-03-04. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

Add items for discussion here

Attendees:

Brent

Daniel

 

Henri

Ian

John

  • Minor maintenance on cpp-linbuild images

  • Trying to find my place again on the Jenkins/Fargate stuff

Marvin

 

Phil

  • https://shibboleth.atlassian.net/browse/JCOMOIDC-40

    • Have something for decoding unscoped strings. Will review and push next week. Other info in the ticket.

  • https://shibboleth.atlassian.net/browse/JOIDCRP-10

    • Switching the arbitrary client metadata method of registering RP->OP config, to RP profile config.

  • Other

    • UserInfo claims lookup, validation, and merge with id_token claims done.

      • Should support Plain JSON UserInfo response objects along with signed and or encrypted JWTs - when I plugin the TrustEngine.

    • Added attribute filtering after transcoding to the validation stage before claims are exposed as Attribute Principals to the wider IdP.

    • I will work with Tom soon to add RP to Jenkins.

    • Might need a new Git repo for the SWF test classes that are now shared between the Duo plugin and the RP plugin. Something like java-spring-webflow-tests

      • Although it might not be useful to other plugins

 

Rod

  • Supply chain defence:

    • All nightly builds now check all downloaded code jars against our keyrings

    • All distributions check the shipped jars against our keyrings

    • I believe that mvn versions:set is clean,

    • mvn site:site opens a whole new jar of worms https://shibboleth.atlassian.net/browse/GEN-310

    • Are there other commands we need to worry about.

    • “Are we there yet?”

Scott

  • https://shibboleth.atlassian.net/browse/JOIDC-11

    • I think functionally complete at this point, including encryption

    • Cleaned up some bad design choices, think this will extend naturally to the code grant

    • Settled on client as requester, token audience as proxied requester for consistency with OIDC

  • Added support for authenticated, unverified use of introspection/revocation

  • Long term think we should continue pushing toward authenticated, unverified clients for OIDC as well

Tom

  • Working on integration tests with Jetty 10

Other