2024-05-03
Shibboleth Developer's Meeting, 2024-05-03
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-05-17. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
External testing
Long discussion, some takeaways:
We have at least a couple of people that either do test or would test release candidates if we were more clear on them.
We should start being more proactive about publishing project updates to the dev list, and producing near-term status/schedule updates for people to help awareness of where things are in the cycle.
Long-term, it might be nice to have a staging repository with access control for non-public access to releases for early access, maybe as a member benefit. Will discuss with Board.
Once we automate more of the release process, formal beta or RC releases might make some sense.
In the meantime, we should put together some kind of web page via scripting to let us attach status information for each product with pointers to the relevant snapshots in Nexus, so seeing where things stand and how to grab them would be easy for people. Exposing that in structured form might make sense too.
Attendees:
Brent
OSJ-400: Failure in OpenSAML tests with Santuario xmlsec 3.0.4Open
Did my detailed review last week, looked fine. The original committer had been waiting on Sean to review, that appears to have happened yesterday. Will run our tests against a local build of their SNAPSHOT to confirm.
Daniel
Henri
JOIDC-200: Support for OAuth2 Pushed Authorization Requests (PAR)Resolved
More or less functional already, lacks polishing and testing
TODO: public client support, verify unregistered client support
JOIDC-201: Support for OAuth 2.0 Demonstrating Proof of Possession (DPoP)Resolved
Started with the DPoP Proof JWT validation (PAR and token endpoints)
Ian
On asymptotic approach to MDA 0.10.0
John
Minor maintenance: cpp-linbuild Docker image bumps for RHEL7, AZL2, AZL2023.
RHEL 9.4 is GA as of 2024-05-01
Marvin
Phil
JWEBAUTHN-11: Pull identity information from the AttributeResolver during registrationClosed
There is now a strategy you can enable to pull the WebAuthn user.id and the user.displayName from the AttributeContext. There are also defaults if you do not want to do that, or you can supply your own.
JWEBAUTHN-8: Add an admin flow suitable for an sys admin to manage other users keysClosed
There is a basic admin flow for querying for, listing, and removing user credentials.
Trying to cleanup the WebAuthn documentation.
I think we can go for a V1 beta in the next few weeks.
Still need to think more about storage.
Duo videos
Rod
Nothing.
Next up: Jetty 12 for Windows. Looking for significant simplification in the packaging
Scott
Draft of roadmap proposal done, sent to Board for review
“Final” Duo passwordless cleanup, adding admin flow for cookie manipulation and a few odds and ends.
Set up an EC2 build host for the SP (x86 for now), eventually will want this to be usable by others in case I’m incapacitated.
Returning to SP prototyping as to implications of making it a plugin
Per Slack, diagnosed an issue with the Spring socket gateway, not proving to be robust
Lots of factors steering back toward using HTTP for remoting, despite impact on Apache agent
Some thinking on agent call security
Starting to think about the config implications of serving multiple agents from one hub
IdP doesn’t really allow software-aware virtual hosting but multiple agents means the SP would need to
Impact on configuring behavior per-agent/application and per-relying-party
Considering alternative life choices
Tom
Working on Jetty 12 integration tests as well as OIDC
Other