Shibboleth Developer's Meeting, 2024-07-05

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-07-19. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at OSU, see announcement for access info.

AGENDA

1. RH7 EOL implications:

   1. SP packages don’t currently build because we used the decomm’d CentOS 7 repos to build them

   2. John will spend limited time investigating that, and/or look at making a RH7 build possible to allow continued unsupported builds of the packages there.

• (rdw) Jetty as a plugin

Attendees:

Brent

Daniel

Henri

• https://shibboleth.atlassian.net/browse/JOIDC-200

  • Currently no known issues, initial profile documentation at OPPushedAuthorization

  • https://shibboleth.atlassian.net/browse/JOIDC-212

  • • In short: with OAuth2 authorization requests, only use request object parameters. In OIDC, request object + query parameters can be merged.

• • Fine-tuning the refresh token sequence (differs a bit between confidential and public clients)

• • Breaking change in Nimbus API makes old oidc-common (with Nimbus v10) incompatible

  • Should we make the upcoming idp.oidc.common.6 -module incompatible with the previous ones? IMHO it’d need patching for RP and Duo too in order to support new commons too? Or is it satisfactory to document that if a deployer updates the commons-module, also OP needs to be updated?

Ian

• RHEL 7, CentOS 7 and Debian 10 are now EOL.

John

• Fixed centos7 build on ARM

• Updated all Docker images to latest available

  • centos7: N/A

  • centos8: N/A

  • amazonlinux2: 2.0.20240620.0

  • amazonlinux2023: 2023.5.20240624.0

  • rockylinux8: 8.10.20240528

  • rockylinux9: 9.4.20240523

  • rhel7: 7.9-1445

  • rhel8: 8.10-901.1717584420

  • rhel9: 9.4-1123

• • Drafted patch. Passed smoke test. Still need to check on other platforms.

Marvin

Phil

• WebAuthn Beta announced.

• - turn off signature counter updates if you wanted to limit storage service writes.

• - I completely forgot auditing of any kind. Easy to add to the authentication flow, more work to add to the admin flows. Almost there.

Rod

• Jetty 12 MSI

• Question: Where are we ready to (pseudo) fork a maintenance branch (across all repos) and move mainline to the next minor?

Scott

• Work on member comms for roadmap/etc

  • Will publish roadmap next week, might wait until after board mtg if there is one

• Prepping for xml-security transition, repo is public, Jira project created

• False alarm on an SP security issue, a few fixes accumulating so considering some kind of SP refresh

• Ongoing SP work

  • Working on some initial utility flows for storage, data sealing, RequestMap/XML parsing for agents

  • Unit tests and flow tests based on IdP’s flow test classes and configuration

  • Work on some draft docs:

Tom

Other