2022-09-02
Shibboleth Developer's Meeting, 2022-09-02
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-09-16. Any reason to deviate from this?
90 to 120 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
JPAR-212: Migrate javadoc links into individual projectsClosed
Obviously “document this insanity” is the real task, but should be update the links?
Scott to document current state before we decide
Group IDs for new java-shib-* projects?
Change the shared ones to net.shibboleth, leave IdP alone for now
IDP-1935: SAML2 Auth flow fails to decrypt when using overridden responder id.Closed
May want to visit this as part of the work reviewing the OIDC encryption code
Attendees:
Brent
Xalan XSLT bug: Seems like we’re ok here
Daniel
Nothing to report
Henri
Absent today
(At least) one more patch release needed for OP 3.2
Ian
New repository trimming work:
Have this working for
java-shib-attribute
, probablyEmpty commits and their tags are expunged as a side-effect
Size comes down from 80MB to 25MB, approx
Optional pre-renaming to help avoid the need for
--follow
What to do about old tags and branches?
John
Marvin
Phil
JOIDCRP-19: Add audit context actions and audit extractors where necessaryClosed - hadn’t added the audit extractors. Have now. But just thinking it through.
Copied some OP extractors to commons.
JOIDCRP-17: Add JWT Encryption Parameter Resolver SupportClosed Completed some refactoring of the encryption resolvers.
Have not committed in-case Brent was in the middle of looking at its current state.
Mostly a refactor from subclasses to lookup strategies to determine algorithms to use and credential resolvers. The credential resolvers allow the reuse of the existing signature validation resolvers for looking up the client_secret from criterion, and the OP’s keys from its public keyset document.
Also removed the direct capability of resolver encryption keys from local config. The OIDC spec says the symmetric keys must be derived from client_secret, and the asymmetric keys must come from the OP’s keyset document - makes sense. That said, you could technically plug any cred resolver into it.
Rod
Apologies, but may not make today’s meeting.
Nothing to report.
Scott
GEN-315: Fix the mess of Eclipse files checked into gitClosed
Mostly done at this point.
Be aware compiler error/warnings are now uncontrolled
Misc backlog
Started the java-shib-shared refactor with a goal of eliminating unusual dependency chains based on test jars
Criteria for new modules? E.g., OpenSAML uses a Velocity class but not Spring, so a velocity module without requiring optional dependencies has a single class in it.
Tom
working on Sauce Labs tests
seems to be a Selenium / Safari driver bug which prevents clicking on a radio button on iOS / iPadOS
new Jenkins agents : AmazonLinux2 and Rocky9
still working on WindowsServer2022
Other