2022-05-20
Shibboleth Developer's Meeting, 2022-05-20
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-06-03. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
OP 3.2 scope/schedule
Time to branch for v5?
Add items for discussion here
Attendees:
Brent
JCOMOIDC-41: Move OIDC Signature Validation resolvers and parameter classes to commonsClosed
Started looking at Phil’s recent changes, will do a writeup eventually. Not sure yet whether there’s anything that makes sense to be refactored in OpenSAML XML components for reuse here.
Daniel
Henri
JOIDC-99: Support OAuth 2.0 Authorization Server Issuer Identification as per RFC9207 Resolved
Implementation done, documentation TODO
JOIDC-104: Support to manipulate claims within the ID_TokenResolved
Implementation done, more unit testing and documentation TODO
JOIDC-97: support C_HASH in ID_Token also for Authorization Code Flow with PKCEResolved
Would be simpler, if id_token wasn’t produced via refresh_tokens
Current plan is to add c_hash value into the access/refresh token claims sets sealed inside opaque tokens
JOIDC-106: SAML Metadata for OIDC does not support space delimiter in response_typesResolved
Agreed that the fix should be done on commons - good timing as new commons minor is needed anyway
Perhaps
code code+token code+token+id_token
and post processor would transform pluses into spaces
Next up:
The new refresh_token features
Ian
IDP-1892: Investigate forking Spring Web Flow for IdP 5Closed
I have a functional SWF snapshot for the Java 17 / Spring 6 / EE 9 environment.
Do we need a Jira project for this?
Response from Spring team that they will support SWF in this environment, and that they welcome our collaboration. Hopefully this means we don’t need to maintain a fork of our own long term.
JPAR-186: Create Java 17 + Spring Framework 6 + Jakarta EE 9 platformClosed
I have a functional 5.0.0-SNAPSHOT (without plugins).
Working on build infrastructure.
Not all RHEL rebuilds are the same.
Also, RHEL 9 is now a thing (Rocky 9 soon). Implications?
Also, RHEL 7 is not long for this world (GA: 10 June 2014, end of full support: 6 August 2019, end of maintenance 1: 6 August 2020, end of maintenance 2: 30 June 2024, “extended life” ends 30 June 2026, see here). Implications? (Part proposal: never support IdP v5 on RHEL 7)
John
AWS-based SP build goo
Got script working to build builder images under Jenkins. Doesn’t handle Fargate task re-definition, among other things.
Started working on script to use builder images to build RPMs. This one may be a bit gnarly.
Work-in-progress on aws branch in git.shibboleth.net:obrienjw/cpp-linbuild, occasionally rebased on main
Chasing Docker images du jour. Today: Rocky 8.6.
Marvin
Phil
JCOMOIDC-41: Move OIDC Signature Validation resolvers and parameter classes to commonsClosed
Changed how the client authentication and client secret are weird up. The client_secret is now a general JWK credential i.e. a shared secret or a public/private key
This is used to generate the correct client authentication, although the action that does that still only supports client_secret_basic and client_secret_post. It should now be possible to support client_secret_jwt and private_key_jwt.
The credential can then be fed into a new CriterionCredentialResolver via a new static credential criterion: to support MAC verification using the HS* algorithms (in addition to the existing public key signatures). Not sure if this is the best approach, but can be revisited.
JCOMOIDC-45: Add a Decrypter for JWE tokens similar to the opensaml DecrypterClosed working through decryption. Starting with ‘Dir’ (Direct Encryption) to see if I can harvest some of the existing decrypted work in the OP.
https://issues.apache.org/jira/browse/MJAVADOC-652 - Progress is slow. As Ian and I briefly discussed, I can not see a reason to place a third-party library on the patch-module path, and either we need a parameter to turn it off (I submitted a PR) or they need to change its behavior for projects where not all dependencies declare support for the module system.
Rod
OSJ-342: Investigate Strategies to end of life our use of Hibernate in V5Closed
Issues with HSQLDB and Transactional (ho ho) ‘Isolation’
Setting osolation level down to
READ_COMMITTED
(orREAD_UNCOMITTED
) makes things better (in terms of tests passing) but not perfectTurning transactional retries up blows HSQLDB
Note that hibernate doesn’t set isolation - it appears to install its own TM.
Do we want to add Isolation level as a parameter to the Storage Service
Testing with SQLServer looking hopeful
Looks like I'm finding real bugs
But we are still occasionally retrying transactions more than 6 times.
Bumping retries to 12 works.
Sometimes
Do we want to add optional explicit locking (poor man's TM)?
Scott
SP prototyping
Process shutdown management still uncertain
A few outstanding Spring Integration questions but it’s working pretty cleanly minus TLS support
Messages are dispatched via a reloadable service to auto-wired Endpoint objects (e.g. an Echo service) that will make up the “business logic”
Exceptions raised anywhere once messages are sent to the main service method are turned into output objects for the agents to consume as errors, more or less how shibd works today
Probably need to throttle down the detailed stack traces by default
We’ll need at least the attribute and metadata services pulled out of the IdP and configured similarly here, and they’ll be injectable into the “business” objects as needed
Tom
Jetty 10 integration test weirdness
Classpath issues and odd behavior of Surefire plugin
Other