Shibboleth Developer's Meeting, 2024-07-05

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-07-19. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at OSU, see announcement for access info.

AGENDA

1. RH7 EOL implications:

   1. SP packages don’t currently build because we used the decomm’d CentOS 7 repos to build them

   2. John will spend limited time investigating that, and/or look at making a RH7 build possible to allow continued unsupported builds of the packages there.

• (rdw) Jetty as a plugin

Attendees:

Brent

Daniel

Henri

• JOIDC-200: Support for OAuth2 Pushed Authorization Requests (PAR)Resolved

  • Currently no known issues, initial profile documentation at OPPushedAuthorization

  • JOIDC-212: Empty/missing scope in authorization request produces uncaught exceptionResolved

  • JOIDC-214: Response type parameter handling in authorization endpointResolved

  • JOIDC-217: Support for OAuth2 JWT-Secured Authorization Request (JAR)Resolved

    • In short: with OAuth2 authorization requests, only use request object parameters. In OIDC, request object + query parameters can be merged.

• JOIDC-201: Support for OAuth 2.0 Demonstrating Proof of Possession (DPoP)Resolved

  • Fine-tuning the refresh token sequence (differs a bit between confidential and public clients)

• JCOMOIDC-115: Update Nimbus oauth2-oidc-sdk into 10.15Resolved

  • Breaking change in Nimbus API makes old oidc-common (with Nimbus v10) incompatible

  • JOIDC-210: Refactor support for non-URI resource indicators for Nimbus v11Resolved

  • Should we make the upcoming idp.oidc.common.6 -module incompatible with the previous ones? IMHO it’d need patching for RP and Duo too in order to support new commons too? Or is it satisfactory to document that if a deployer updates the commons-module, also OP needs to be updated?

Ian

• RHEL 7, CentOS 7 and Debian 10 are now EOL.

John

• Fixed centos7 build on ARM

• Updated all Docker images to latest available

  • centos7: N/A

  • centos8: N/A

  • amazonlinux2: 2.0.20240620.0

  • amazonlinux2023: 2023.5.20240624.0

  • rockylinux8: 8.10.20240528

  • rockylinux9: 9.4.20240523

  • rhel7: 7.9-1445

  • rhel8: 8.10-901.1717584420

  • rhel9: 9.4-1123

• SSPCPP-987: Packages for amazon linux 2023 contain don't install systemd service fileClosed

  • Drafted patch. Passed smoke test. Still need to check on other platforms.

Marvin

Phil

• WebAuthn Beta announced.

• JWEBAUTHN-13: Add option to disable signature count updatesClosed - turn off signature counter updates if you wanted to limit storage service writes.

• JWEBAUTHN-16: Add auditingClosed - I completely forgot auditing of any kind. Easy to add to the authentication flow, more work to add to the admin flows. Almost there.

Rod

• Jetty 12 MSI

• Question: Where are we ready to (pseudo) fork a maintenance branch (across all repos) and move mainline to the next minor?

Scott

• Work on member comms for roadmap/etc

  • Will publish roadmap next week, might wait until after board mtg if there is one

• Prepping for xml-security transition, repo is public, Jira project created

• False alarm on an SP security issue, a few fixes accumulating so considering some kind of SP refresh

• Ongoing SP work

  • Working on some initial utility flows for storage, data sealing, RequestMap/XML parsing for agents

  • Unit tests and flow tests based on IdP’s flow test classes and configuration

  • Work on some draft docs:Remote Operations Reference

Tom

Other