Shibboleth Developer's Meeting, 2022-06-17

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-07-01. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at OSU, see 'Re: Shibboleth developer call 2022-06-03: Updated Zoom Info' - MARC (same details apply as for 6/3).

AGENDA

• Merged repo: reactions and timescales (@Ian Young)

• Thoughts on opensaml-spring

Add items for discussion here

Attendees:

Brent

Daniel

• Merging ldaptive v2 into IDP v5

  • waiting until v5 main branch work settles down

Henri

The current non-resolved issues for OP 3.2:

• Regarding refresh tokens:

  • JOIDC-90: Revocation of individual tokensResolved

  • JOIDC-92: Support for refresh token rotationResolved

  • Almost there, some final polishings / documentation to do

• JOIDC-6: Release policy for OAuth2 scope values based on IdPAttributesResolved

  • Helper-function for scripts and example via attribute resolver service now exists

• JOIDC-112: PROTOCOL_MESSAGE.OAUTH2 log appender to trace all the exchanged protocol messagesResolved

  • Technically not complicated, will probably use PROTOCOL_MESSAGE.OAUTH2

• JOIDC-7: Support JWT access tokens for code or implicit grantsResolved

  • No known issues, I’ve run some tests for both OAUTH2.Token and OAUTH2.TokenAudience profiles

The plan is to release OP 3.2 and common 2.1 during the last week of June.

Ian

John

• Rocky Linux 9 forecast: “ready for general release in the June - July 2022 timeframe”

• Vanishingly little progress on cpp-linbuild for Fargate since last time due to competing demands on my time

Marvin

Phil

• JCOMOIDC-41: Move OIDC Signature Validation resolvers and parameter classes to commonsClosed RP updated to support Brent’s JOSE Header JWK resolver

• JCOMOIDC-45: Add a Decrypter for JWE tokens similar to the opensaml DecrypterClosedAdded JWT decryption and signature validation support to UserInfo JWT (which could just be a plain JSON object)

  • Test certain modes against the OIDC certification OP

• Improved the response_mode and response_type lookup from RP config

• Added scopes to RP config, default obviously openid.

• Added OIDC ACR proxy pass-through function from upstream SAML request (similar to SAML proxy)

• Flow XML cleanups

• More tests

Rod

• JSPT-98: Integrate lifecycle checking methods in base classesResolved

• OSJ-342: Investigate Strategies to end of life our use of Hibernate in V5Closed

• Windows Server recommendations.

Scott

• Working on IdP refactor

  • Cloned IdP into java-shib-metadata

    • shib-metadata-api/impl

      • Unfortunately depends on some shib-attribute modules due to EntityAttributes node processor, including an impl module

    • shib-metadata-spring (maybe it’s time to split these into -api/-impl?)

    • This is at least all building and passing tests

  • Cloned IdP into java-shib-attribute

    • shib-attribute-api/impl

      • Probably need to deprecate and move in various Attribute-related predicates and such out of other packages

    • shib-attribute-resolver-api/impl/spring

      • Some connectors and definitions will probably stay in the IdP somewhere (e.g. anything to do with Subject)

    • shib-attribute-filter-api/impl/spring

      • Filter impl relies on shib-metadata-api due to Scope extension

  • Considered Spring classes open to package rename/reorg, but not the rest for now

  • Fair bit of work left to get this building

Tom

• need to patch server

• worked on Windows Server 2022 image

Other