Shibboleth Developer's Meeting, 2022-05-20

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-06-03. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

• OP 3.2 scope/schedule

• Time to branch for v5?

Add items for discussion here

Attendees:

Brent

• JCOMOIDC-41: Move OIDC Signature Validation resolvers and parameter classes to commonsClosed

  • Started looking at Phil’s recent changes, will do a writeup eventually. Not sure yet whether there’s anything that makes sense to be refactored in OpenSAML XML components for reuse here.

Daniel

Henri

• JOIDC-99: Support OAuth 2.0 Authorization Server Issuer Identification as per RFC9207 Resolved

  • Implementation done, documentation TODO

• JOIDC-104: Support to manipulate claims within the ID_TokenResolved

  • Implementation done, more unit testing and documentation TODO

• JOIDC-97: support C_HASH in ID_Token also for Authorization Code Flow with PKCEResolved

  • Would be simpler, if id_token wasn’t produced via refresh_tokens

  • Current plan is to add c_hash value into the access/refresh token claims sets sealed inside opaque tokens

• JOIDC-106: SAML Metadata for OIDC does not support space delimiter in response_typesResolved

  • Agreed that the fix should be done on commons - good timing as new commons minor is needed anyway

  • Perhaps code code+token code+token+id_token and post processor would transform pluses into spaces

• Next up:

  • The new refresh_token features

Ian

• IDP-1892: Investigate forking Spring Web Flow for IdP 5Closed

  • I have a functional SWF snapshot for the Java 17 / Spring 6 / EE 9 environment.

  • Do we need a Jira project for this?

  • Response from Spring team that they will support SWF in this environment, and that they welcome our collaboration. Hopefully this means we don’t need to maintain a fork of our own long term.

• JPAR-186: Create Java 17 + Spring Framework 6 + Jakarta EE 9 platformClosed

  • I have a functional 5.0.0-SNAPSHOT (without plugins).

  • Working on build infrastructure.

• Not all RHEL rebuilds are the same.

• Also, RHEL 9 is now a thing (Rocky 9 soon). Implications?

• Also, RHEL 7 is not long for this world (GA: 10 June 2014, end of full support: 6 August 2019, end of maintenance 1: 6 August 2020, end of maintenance 2: 30 June 2024, “extended life” ends 30 June 2026, see here). Implications? (Part proposal: never support IdP v5 on RHEL 7)

John

• AWS-based SP build goo

  • Got script working to build builder images under Jenkins. Doesn’t handle Fargate task re-definition, among other things.

  • Started working on script to use builder images to build RPMs. This one may be a bit gnarly.

  • Work-in-progress on aws branch in git.shibboleth.net:obrienjw/cpp-linbuild, occasionally rebased on main

• Chasing Docker images du jour. Today: Rocky 8.6.

Marvin

Phil

• JCOMOIDC-41: Move OIDC Signature Validation resolvers and parameter classes to commonsClosed

  • Changed how the client authentication and client secret are weird up. The client_secret is now a general JWK credential i.e. a shared secret or a public/private key

    • This is used to generate the correct client authentication, although the action that does that still only supports client_secret_basic and client_secret_post. It should now be possible to support client_secret_jwt and private_key_jwt.

    • The credential can then be fed into a new CriterionCredentialResolver via a new static credential criterion: to support MAC verification using the HS* algorithms (in addition to the existing public key signatures). Not sure if this is the best approach, but can be revisited.

  • JCOMOIDC-45: Add a Decrypter for JWE tokens similar to the opensaml DecrypterClosed working through decryption. Starting with ‘Dir’ (Direct Encryption) to see if I can harvest some of the existing decrypted work in the OP.

  • https://issues.apache.org/jira/browse/MJAVADOC-652 - Progress is slow. As Ian and I briefly discussed, I can not see a reason to place a third-party library on the patch-module path, and either we need a parameter to turn it off (I submitted a PR) or they need to change its behavior for projects where not all dependencies declare support for the module system.

Rod

• OSJ-342: Investigate Strategies to end of life our use of Hibernate in V5Closed

  • Issues with HSQLDB and Transactional (ho ho) ‘Isolation’

    • Setting osolation level down to READ_COMMITTED (or READ_UNCOMITTED) makes things better (in terms of tests passing) but not perfect

    • Turning transactional retries up blows HSQLDB

    • Note that hibernate doesn’t set isolation - it appears to install its own TM.

    • Do we want to add Isolation level as a parameter to the Storage Service

  • Testing with SQLServer looking hopeful

    • Looks like I'm finding real bugs

    • But we are still occasionally retrying transactions more than 6 times.

    • Bumping retries to 12 works.

    • Sometimes

  • Do we want to add optional explicit locking (poor man's TM)?

Scott

• SP prototyping

  • Process shutdown management still uncertain

  • A few outstanding Spring Integration questions but it’s working pretty cleanly minus TLS support

  • Messages are dispatched via a reloadable service to auto-wired Endpoint objects (e.g. an Echo service) that will make up the “business logic”

  • Exceptions raised anywhere once messages are sent to the main service method are turned into output objects for the agents to consume as errors, more or less how shibd works today

    • Probably need to throttle down the detailed stack traces by default

  • We’ll need at least the attribute and metadata services pulled out of the IdP and configured similarly here, and they’ll be injectable into the “business” objects as needed

Tom

• Jetty 10 integration test weirdness

  • Classpath issues and odd behavior of Surefire plugin

Other