2022-05-20
Shibboleth Developer's Meeting, 2022-05-20
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-06-03. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
OP 3.2 scope/schedule
Time to branch for v5?
Add items for discussion here
Attendees:
Brent
https://shibboleth.atlassian.net/browse/JCOMOIDC-41
Started looking at Phil’s recent changes, will do a writeup eventually. Not sure yet whether there’s anything that makes sense to be refactored in OpenSAML XML components for reuse here.
Daniel
Henri
https://shibboleth.atlassian.net/browse/JOIDC-99
Implementation done, documentation TODO
https://shibboleth.atlassian.net/browse/JOIDC-104
Implementation done, more unit testing and documentation TODO
https://shibboleth.atlassian.net/browse/JOIDC-97
Would be simpler, if id_token wasn’t produced via refresh_tokens
Current plan is to add c_hash value into the access/refresh token claims sets sealed inside opaque tokens
https://shibboleth.atlassian.net/browse/JOIDC-106
Agreed that the fix should be done on commons - good timing as new commons minor is needed anyway
Perhaps
code code+token code+token+id_token
and post processor would transform pluses into spaces
Next up:
The new refresh_token features
Ian
https://shibboleth.atlassian.net/browse/IDP-1892
I have a functional SWF snapshot for the Java 17 / Spring 6 / EE 9 environment.
Do we need a Jira project for this?
Response from Spring team that they will support SWF in this environment, and that they welcome our collaboration. Hopefully this means we don’t need to maintain a fork of our own long term.
https://shibboleth.atlassian.net/browse/JPAR-186
I have a functional 5.0.0-SNAPSHOT (without plugins).
Working on build infrastructure.
Not all RHEL rebuilds are the same.
Also, RHEL 9 is now a thing (Rocky 9 soon). Implications?
Also, RHEL 7 is not long for this world (GA: 10 June 2014, end of full support: 6 August 2019, end of maintenance 1: 6 August 2020, end of maintenance 2: 30 June 2024, “extended life” ends 30 June 2026, see here). Implications? (Part proposal: never support IdP v5 on RHEL 7)
John
AWS-based SP build goo
Got script working to build builder images under Jenkins. Doesn’t handle Fargate task re-definition, among other things.
Started working on script to use builder images to build RPMs. This one may be a bit gnarly.
Work-in-progress on aws branch in git.shibboleth.net:obrienjw/cpp-linbuild, occasionally rebased on main
Chasing Docker images du jour. Today: Rocky 8.6.
Marvin
Phil
https://shibboleth.atlassian.net/browse/JCOMOIDC-41
Changed how the client authentication and client secret are weird up. The client_secret is now a general JWK credential i.e. a shared secret or a public/private key
This is used to generate the correct client authentication, although the action that does that still only supports client_secret_basic and client_secret_post. It should now be possible to support client_secret_jwt and private_key_jwt.
The credential can then be fed into a new CriterionCredentialResolver via a new static credential criterion: to support MAC verification using the HS* algorithms (in addition to the existing public key signatures). Not sure if this is the best approach, but can be revisited.
https://shibboleth.atlassian.net/browse/JCOMOIDC-45 working through decryption. Starting with ‘Dir’ (Direct Encryption) to see if I can harvest some of the existing decrypted work in the OP.
https://issues.apache.org/jira/browse/MJAVADOC-652 - Progress is slow. As Ian and I briefly discussed, I can not see a reason to place a third-party library on the patch-module path, and either we need a parameter to turn it off (I submitted a PR) or they need to change its behavior for projects where not all dependencies declare support for the module system.
Rod
https://shibboleth.atlassian.net/browse/OSJ-342
Issues with HSQLDB and Transactional (ho ho) ‘Isolation’
Setting osolation level down to
READ_COMMITTED
(orREAD_UNCOMITTED
) makes things better (in terms of tests passing) but not perfectTurning transactional retries up blows HSQLDB
Note that hibernate doesn’t set isolation - it appears to install its own TM.
Do we want to add Isolation level as a parameter to the Storage Service
Testing with SQLServer looking hopeful
Looks like I'm finding real bugs
But we are still occasionally retrying transactions more than 6 times.
Bumping retries to 12 works.
Sometimes
Do we want to add optional explicit locking (poor man's TM)?
Scott
SP prototyping
Process shutdown management still uncertain
A few outstanding Spring Integration questions but it’s working pretty cleanly minus TLS support
Messages are dispatched via a reloadable service to auto-wired Endpoint objects (e.g. an Echo service) that will make up the “business logic”
Exceptions raised anywhere once messages are sent to the main service method are turned into output objects for the agents to consume as errors, more or less how shibd works today
Probably need to throttle down the detailed stack traces by default
We’ll need at least the attribute and metadata services pulled out of the IdP and configured similarly here, and they’ll be injectable into the “business” objects as needed
Tom
Jetty 10 integration test weirdness
Classpath issues and odd behavior of Surefire plugin
Other