2024-02-16
- Rod Widdowson
- Scott Cantor
- Henri Mikkonen
Shibboleth Developer's Meeting, 2024-02-16
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-03-01 Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Rod: IDP-2242 Can/Should we stop using “Unsupported” and rely instead on SECADV/OutOfDate/Current
5.1 freeze schedule
Feature freeze on 2/26, code freeze 3/4 and release that week if possible
Santuario (C++) future
Will make a proposal for a cut down V3 either at Apache if accepted, or we close it down, and fork if not (at which point it’s optional for us to do if we want).
Attendees:
Brent
https://shibboleth.atlassian.net/browse/OSJ-391
Think this is done? Leave defaults as they are now?
https://shibboleth.atlassian.net/browse/OSJ-392
Think I have a workable solution for the role descriptor adapter issues (mutable collections, and setters which throw). Need to test, mindful of the freeze timing.
Daniel
Henri
JOIDC-186: Support additional refresh token typesClosed
The JWT refresh token seems to be working as expected in test deployments
https://shibboleth.atlassian.net/browse/JCOMOIDC-96 and JOIDC-196: Enhance metadata and unregistered client policy config optionsClosed
Working OK for both metadata policies (in registration) and unregistered client policies
Do we want to make a scriptable abstract bean for custom policy operator ?
https://shibboleth.atlassian.net/browse/JCOMOIDC-99
Found when integrating the custom operators (above) to the merging function
Automated logout testing scripts still need to be fine-tuned for minimal template changes
Polishing and minor changes before minor release - and NonNull-work..
Ian
John
Marvin
Phil
RP developments
https://shibboleth.atlassian.net/browse/JOIDCRP-54
Hook to add arbitrary claims into the signed Request Object.
https://shibboleth.atlassian.net/browse/JOIDCRP-51
Allowed the RP to send empty ACR and AMR claims to the translators. The translation function can be overridden with their own.
WebAuthn developments:
https://shibboleth.atlassian.net/browse/JWEBAUTHN-2 Missing 1 key for cose-java. It looks like Emil has eliminated that dependency from the Yubico libraries, and will be releasing a patch release (2.5.1) very soon. When we grab that, we will not need the key.
Lots of cleanups.
A decent amount of work on the registration process.
Username and password authentication to first register a WebAuthn credential, but WebAuthn flow is required once you have one.
Requires username collection as a first step in the registration flow.
Adding attestation support even if not used initially.
Rod
EDS: We have had three patches submitted. New release?
https://shibboleth.atlassian.net/browse/IDP-2240New helper class with 6 methods - any more needed?
IDP-2242: We need to rationalize the use of plugin categories.Closed (agenda)
https://shibboleth.atlassian.net/browse/IDP-2236 - I plan to use this to write the documentation
Other IdP Bugs
Scott
Grant proposal was submitted by Jisc.
Met with Duo regarding Passwordless, follow up planned prior to finalizing
Thymeleaf plugin - think this is in a satisfactory place for the release
https://shibboleth.atlassian.net/browse/IDP-2233
Will consider whether there’s more worth doing but probably good enough for now.
https://shibboleth.atlassian.net/browse/IDP-2245
Noting this only because I did do the initializer refactor to use the new shared base class. I can’t see this causing problems but I’ll want to test that on my dev system before we freeze.
Tom
OIDC tests : looking for example / test flows (as discussed on Slack, thank you)
nit : maybe add link to source on wiki pages for IdP plugins
Other