Shibboleth Developer's Meeting, 2023-11-17

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-12-01. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Any feedback or concerns around work planning

2. (PS) Signatures → javadoc plugin

Attendees:

Brent

• Nothing to report, just working on open issues.

Daniel

• Nothing to report.

Henri

• Absent today

• JOIDC-13: Support for OIDC LogoutClosed

  • RP-initiated logout

    • Flow tests now fairly complete - including complete JWE/JWS tests for the incoming id_token_hint

  • Propagation flow

    • The following approach for the flow tests seems to work:

      • Build an IdP-session with OIDCRPSession and call IdP’s “global” Logout-flow

      • Call event “propagate” in the view and make sure we’re in the LogoutPropagateView

      • Then call PropagateLogout-flow with SessionKey=1 and we’re now at the OIDC propagation flow

    • TODO: JWS/JWE tests for the backchannel notification message

  • (Automated) tests with the conformance suite are mostly working

    • Some refactoring needed for implicit flows (i.e. the ones not containing authorization code)

      • current OIDCRPSession popoulation only works via authorization code claims set

Ian

John

• Updating UBI versions (8.9, 9.3) and running test builds

Marvin

• Integrating Vue.js in the IDP frontend

Phil

• JPAR-207: Revert maven-javadoc-plugin to official Apache versionOpen

  • Of course, I didn’t fix it. Signature issues.

• JOIDCRP-50: Default 'sub' based C14N flow dos not runClosed

  • C14N differences inside the MFA flow. I should ensure all the new authn flows work inside the MFA flow.

  • I think fix with documentation of how to add a bean reference. But might revisit.

• Need to merge in the CSP protection stuff I added to commons and the RP.

• JDUO-78: Persist and expose Duo claims responseClosed - added a new DuoFactorPrincipal.

  • Looks like people want easier access to that (makes sense), so I should perhaps release that soon.

  • And some more documentation for the old and new ways to pull that out (see https://shibboleth.atlassian.net/browse/MUBC-19).

• WebAuthn

  • Pretty much figured out the Yubico JS for turning the JSON CredentialCreationOptions into a valid type for the WebAuthn API

    • Working on registration and credential validation, getting close to a super early prototype of that.

    • Will hook their JS and libs up to authentication next.

    • Then, tons of cleanup and to answer the questions around storage (for now using their in-memory storage stuff)

• Null tasks I need to look at, I’ve been neglecting.

• Versions near or ready for release:

  • RP 2.1.0

  • Duo 2.1.0 (or maybe 2.0.1)

  • Commons 3.1.0

Rod

• Nothing

Scott

• Plugin null cleanup as time permits

• Lagging documentation cleanup for V5

• Continued Jenkins/javadoc cleanup

• Revving all the projects to X.1-SNAPSHOT

• Work planning per https://shibboleth.atlassian.net/wiki/spaces/consort/pages/3295969281

Tom

• Still working on IDP-2175

Other