2022-09-16

Shibboleth Developer's Meeting, 2022-09-16

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-10-07. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

Attendees:

Brent

  • https://shibboleth.atlassian.net/browse/OSJ-360

    • Done, after figuring out some pesky policy OID stuff.

  • Users list question about Veracode, EC named curves implies: Should we consider a security policy layer that blocks “weak” keys from being used (as opposed to weak signing/encryption/other algorithms)?

Daniel

 

Henri

  • https://shibboleth.atlassian.net/browse/JOIDC-127

    • The sid claim is required for the logout feature

    • Fairly simple to implement, but API-module changes cannot be avoided

    • Currently the authorize flow hardcoded to decode OIDC authentication requests

    • Prototyping with a decision-state before decoding request:

      • if the scope-parameter contains openid, it’s OIDC authentication request

      • OAuth authorization request otherwise

      • Refactor SWF actions / functions into using OIDC only when really OIDC-specific

Ian

  • Repository pruning continues.

  • Spring Framework 6.0.0-M6 (and 5.3.23) are out.

    • 6.0.0-RC1 due 2022-10-12.

    • 6.0.0-RC2 due 2022-10-20.

John

  • cpp-linbuild

    • Minor updates to Docker images

Marvin

 

Phil

  • WikiDocs -

  • Lots of little cleanups to the RP and some code TODOs.

  • commons merging, on the agenda.

 

Rod

  • Nothing to report

  • Apologies, I won’t be able to make the call

Scott

  • Refactoring…

    • Bean created that will rewrite class and parent declarations based on a map, and the bean is now installed on main branch for global and all service contexts. Should be able to add it to the flows too.

    • All of spring-extensions has been migrated to net.shibboleth.shared.spring.* package names with rules added to the rewrite map in global-system.xml. One stub left behind for web.xml compatibility.

    • Moved on to work on test refactoring. OpenSAML now has a -testing module for test APIs, and many of its impl modules now depend on it, but -api cannot to prevent loops. This necessitated breaking apart -core (which we should have done anyway) and also migrating a few other tests down into -impl modules.

      • Any tests of a package defined in -api but implemented in -impl tend to have “.tests” on the end of the package name to avoid package sealing violations.

      • Will be moving on to remaining layers to eliminate test-jar dependencies.

Tom

Other