Shibboleth Developer's Meeting, 2023-02-17

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-03-02. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

Add items for discussion here

Attendees:

Brent

• https://shibboleth.atlassian.net/browse/JSSH-16

  • Plan on pushing all the updated projects early next week.

    • All IdP stack + metadata aggregator (just a runtime dep). Missing anything?

    • Likely some minor odd/ends left, but get the major bits of the refactor into main branches.

    • Anyone else planning any big commits in that timeframe? We should coordinate to avoid stepping on one another.

  • Hit a couple of unknown (to me) aspects of HttpClient, interesting to note for the future.

    • Unconditional retries of failed connections over all resolved DNS entries for hostname, where “failed” includes a TLS handshake failure.

    • We effectively disable connection reuse in our HttpClientBuilder by default via use of RequestConnectionClose interceptor.

      • Our TrustEngine-based TLS fails on second and subsequent requests unless this is enabled. Need to see if there is a way to address this.

  • Were we ever expecting to need or want HTTP/2 support? The HC classic client does not support and “most likely never will” per the HC developer.

Daniel

• Conflict today, cannot attend.

Henri

• JCOMOIDC-41: Move OIDC Signature Validation resolvers and parameter classes to commonsClosed

  • Global exclusion now works and tested for signature validation

  • Decryption configuration seems to work, but request object logic needs to be improved (see below)

  • Working on signature signing tests (id_token, JWT access token, userinfo) - spotted one bug with EC keys

  • Encryption tests with varying configurations still totally missing

• JOIDC-142: Improve Request Object handling and configurationClosed

  • So far OP has only supported the use of RP metadata for security configuration

  • OP should also exploit the new predicates used by RP (force use of request objects, signing and encryption)

  • We should also support forcing specific attributes to be included in the request object

Ian

John

Marvin

Phil

• Extra tests and cleanup for the RP

• JCOMOIDC-65: OIDC/OAuth shared config module setupClosed

  • The config module is now fully operational as a plugin —I needed to add sub-modules so the assembly of the tar.gz made sense

  • Basic wiki page up

• Added include and exclude algorithm checks to the trust engine. The others had it and I forgot.

• JCOMOIDC-48: Move OIDC.SSO profile bean to commonsClosed

  • This is working out of the config module.

  • I’ve installed all three plugins (commons, config, and RP) into my running IdP and it is working fine.

    • I will install the OP snapshot as well to check.

• Will release RP 0.10.0 today or Monday, and will host snapshots of oidc-commons and oidc-config on the downloads site (as before, but now with the config).

• Nimbus fixed their truncation bug, so I’ve updated commons to the latest version

• JDUO-65: Align audit logging to delivered feature in IdPClosed

Rod

• Unable to attend

• Primarily IDP-2069: Null Handling TaskClosed

• Use the recommended setting from Configuring Eclipse | Recommended Configuration and on a sub project by sub project basis remove all the red (errors) and take a preliminary pass at the yellow (warning)

• Not spending much/any time on test code right now

• Making notes in the case of any oddities I encounter or leitmotifs (Instant.now() is an example of ‘I know it’s non null but eclipse doesn’t’

• Currently up to cas-impl

Scott

• JSPROF-1: Move RelyingParty "layer" into java-shib-profileClosed

  • RelyingPartyResolverService reimplemented to be CriteriaSet-based and is outside IdP

  • Removed “hide the ServiceableComponent API” abstraction, may revisit same issue for metadata, access control

  • Working on ProfileConfiguration cleanup, moving “most” API usage to interfaces, may move all the concrete classes back out of API

    • SP and IdP overlap is not that extensive here but will share what little there is

    • Tentatively not planning to produce shareable SAML 1 interfaces at this time

Tom

• Jenkins

  • Created jobs for :

    • GEN-319: Add OIDC RP plugin to JenkinsClosed

    • GEN-321: Add java-idp-plugin-oidc-config to JenkinsOpen

    • but no -multi jobs - do we need those too ?

  • Updated Linux and Windows AMIs

    • When should we start using Maven 3.9.0 ?

    • spent most time scripting installers, which we have for :

      • all the necessary versions of Oracle Java and Amazon Coretto

      • Maven

      • webdrivers : geckodriver and chromedriver*
        * no signature
        why is TLS trust not sufficient, remind me ?

      • on Linux and Windows

      • private repo tzeller/java-parent-project

    • Suggestion : PGP KEYS files should be prefixed with the project, e.g.
      SHIBBOLETH-KEYS
      MAVEN-KEYS
      GECKODRIVER-KEYS
      etc. or some other naming convention

  • I know Rod’s out but it might be nice if the IdP (or I guess SP) installer could download and validate updates :
    e.g. bin/install.sh --download-latest-version-and-validate-signature

Other