Shibboleth Developer's Meeting, 2022-09-02

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-09-16. Any reason to deviate from this?

90 to 120 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

• https://shibboleth.atlassian.net/browse/JPAR-212

  • Obviously “document this insanity” is the real task, but should be update the links?

    • Scott to document current state before we decide

• Group IDs for new java-shib-* projects?

  • Change the shared ones to net.shibboleth, leave IdP alone for now

• https://shibboleth.atlassian.net/browse/IDP-1935

  • May want to visit this as part of the work reviewing the OIDC encryption code

Attendees:

Brent

• Xalan XSLT bug: Seems like we’re ok here

Daniel

• Nothing to report

Henri

• Absent today

• (At least) one more patch release needed for OP 3.2

Ian

• New repository trimming work:

  • Have this working for java-shib-attribute, probably

  • Empty commits and their tags are expunged as a side-effect

  • Size comes down from 80MB to 25MB, approx

  • Optional pre-renaming to help avoid the need for --follow

  • What to do about old tags and branches?

John

Marvin

Phil

• https://shibboleth.atlassian.net/browse/JOIDCRP-19 - hadn’t added the audit extractors. Have now. But just thinking it through.

  • Copied some OP extractors to commons.

• Completed some refactoring of the encryption resolvers.

  • Have not committed in-case Brent was in the middle of looking at its current state.

  • Mostly a refactor from subclasses to lookup strategies to determine algorithms to use and credential resolvers. The credential resolvers allow the reuse of the existing signature validation resolvers for looking up the client_secret from criterion, and the OP’s keys from its public keyset document.

  • Also removed the direct capability of resolver encryption keys from local config. The OIDC spec says the symmetric keys must be derived from client_secret, and the asymmetric keys must come from the OP’s keyset document - makes sense. That said, you could technically plug any cred resolver into it.

Rod

• Apologies, but may not make today’s meeting.

• Nothing to report.

Scott

• • Mostly done at this point.

  • Be aware compiler error/warnings are now uncontrolled

• Misc backlog

• Started the java-shib-shared refactor with a goal of eliminating unusual dependency chains based on test jars

  • Criteria for new modules? E.g., OpenSAML uses a Velocity class but not Spring, so a velocity module without requiring optional dependencies has a single class in it.

Tom

• working on Sauce Labs tests

  • seems to be a Selenium / Safari driver bug which prevents clicking on a radio button on iOS / iPadOS

• new Jenkins agents : AmazonLinux2 and Rocky9

  • still working on WindowsServer2022

Other