2022-02-18
Shibboleth Developer's Meeting, 2022-02-18
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-03-04. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Add items for discussion here
Move to Amazon Corretto 17 to build Site? Have been using OpenJDK 15 to overcome the search.js bug in 11, but as that is EOL it makes sense to move to a supported version.
Tested it with Ian using his Docker image, works well.
Ian: The
amazoncorretto-17
image is new and intended for IdP v5 et al; moving to it for this would allow us to zap theopenjdk-site
image.
Any reason not to move our minimum of maven to 3.8.4 (GEN-308: Move maven up to latest versionClosed)?
Thread-local storage risk on new containers? Jetty starts consuming CPU that remains high even without any traffic · Issue #6973 · jetty/jetty.project
Attendees:
Brent
JCOMOIDC-41: Move OIDC Signature Validation resolvers and parameter classes to commonsClosed
pushed some draft code up to dev branch, comments in the ticket
OSJ-347: Eliminate use of self-hosted MDQ server for unit testsClosed
Unit tests in OpenSAML and IdP are updated to use InCommon MDQ server and MDQ server on http://test.shibboleth.net is shutdown.
OSJ-334: Mitigation for bad logger implementationClosed
Done.
Daniel
Henri
JOIDC-72: Expand the set of supported claims in dynamic client registrationClosed
Initial version done: the claims that are included in the metadata policies (via profile config or access token) are stored
JOIDC-21: Use token authentication for OIDC dynamic client registrationClosed
Initial version of the issue-registration-token admin-flow and CLI pushed
Opaque access token only for now - security configuration wiring for JWT access tokens was not trivial
TODO:
Try different AdminFlow authentication approaches in practise
Wire authentication metadata (acr, principal) to the registration access token
JOIDC-76: Facilitate custom response header settings (e.g. CORS)Closed
In principle it seems to be possible to add filter-mappings dynamically via ServletContextInitializer
Ian
Java 18 now RC1.
Spring Framework 5.3.16 addresses SpEL issue (IDP-1901: Bug with Java 17 due to WarningInterceptClosed).
John
Minor maintenance on cpp-linbuild images
Trying to find my place again on the Jenkins/Fargate stuff
Marvin
Phil
JCOMOIDC-40: Complete OIDCAttributeTranscoder decode values functionOpen
Have something for decoding unscoped strings. Will review and push next week. Other info in the ticket.
JOIDCRP-10: Improve scope resolution for Authentication RequestsClosed
Switching the arbitrary client metadata method of registering RP->OP config, to RP profile config.
Other
UserInfo claims lookup, validation, and merge with id_token claims done.
Should support Plain JSON UserInfo response objects along with signed and or encrypted JWTs - when I plugin the TrustEngine.
Added attribute filtering after transcoding to the validation stage before claims are exposed as Attribute Principals to the wider IdP.
I will work with Tom soon to add RP to Jenkins.
Might need a new Git repo for the SWF test classes that are now shared between the Duo plugin and the RP plugin. Something like
java-spring-webflow-tests
Although it might not be useful to other plugins
Rod
Supply chain defence:
All nightly builds now check all downloaded code jars against our keyrings
All distributions check the shipped jars against our keyrings
I believe that
mvn versions:set
is clean,mvn site:site
opens a whole new jar of worms GEN-310: The maven "site:site" command brings down another hundred jarsClosedAre there other commands we need to worry about.
“Are we there yet?”
Scott
JOIDC-11: Support for client_credentials grantClosed
I think functionally complete at this point, including encryption
Cleaned up some bad design choices, think this will extend naturally to the code grant
Settled on client as requester, token audience as proxied requester for consistency with OIDC
Added support for authenticated, unverified use of introspection/revocation
Long term think we should continue pushing toward authenticated, unverified clients for OIDC as well
Tom
Working on integration tests with Jetty 10
Other