2024-08-16
Shibboleth Developer's Meeting, 2024-08-16
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-09-05. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Add items for discussion here
(PS) WebAuthn RC announce to ‘dev’ or ‘announce’?
Attendees:
Brent
OSJ-408: Review effects of Bouncy Castle 1.78's change to PEM parsingOpen
Sadly the issue is confirmed. Leading spaces on header lines does break private key and cert parsing.
Happily naked base64-encoded DER (e.g. metadata) seems unaffected.
SAML AttributeQuery attribute resolver
Re-familiarizing with the DataConnector and Attribute APIs
Daniel
Nothing to report
Continuing work on IDP-2295: Update ldaptive to v2.4.0In Progress and JSATTR-32: Update ldaptive to v2.4.0In Progress
Henri
JOIDC-220: Outbound interceptor flows are not executed before error responsesResolved
Also moved the subflow-call to outbound interceptor flows after the response has been built, but before the encoding to HTTP response
JOIDC-201: Support for OAuth 2.0 Demonstrating Proof of Possession (DPoP)Resolved
The implementation should now cover the spec
Final missing feature was to require DPoP-binding of refresh tokens for public clients, but still enable bearer access token issuance
JCOMOIDC-115: Update Nimbus oauth2-oidc-sdk into 10.15Resolved
TODO to investigate more if we could solely do minor updates of the Nimbus stack to avoid oidc.common -module incompatibilities
JOIDC-222: Support for OpenID FederationIn Progress
Started with the Entity Configuration endpoint
Following Nimbus refactoring for their fed-implementation: OpenID Federation 1.0: Upgrade to projected implementer's draft march 2024
Ian
Fixed the long-standing MDA signature bug, as described last time.
Thanks to Phil and Alex, MDA 0.10.0 is now in production in the UKf.
John
Nothing new to report
Next up in no particular order:
Remove SPEC support for SUSE, and maybe old RHEL versions too
Copy/sign build targets
Keep builder images in ECR
Marvin
Phil
WebAuthn version 1 release.
Did not release v1, moved to a release candidate instead, version 1 expect end of august or early september
Issues caught while testing the beta:
Random number generation using
SecureRandom.getInstanceStrong()
used theNativePRNGBlocking
type. Which can hang on use.Client-side storage was not being read from or written too properly for the admin flows. Affecting deployments which wanted to store credentials in the browser, which is not the default.
Some additional logging and property cleanups.
Possible WebAuthn next steps after v1:
JWEBAUTHN-9: Support HTTP APIs for registering and managing user credentialsOpen - Support HTTP APIs for registration
JWEBAUTHN-14: Support device-bound public key extensionsOpen - Support the draft WebAuthn extension to limit key generation to those bound to a device i.e., those that do not sync, so excluding things like iCloud Keychain. This might be important in enterprise deployments.
Rod
Jetty plugin now installs jet and a bat/sh file to run it from a command line: Volunteers for unix testing
Developing some ideas on using it to replace the windows installer
It hinges on making the windows installer a shell around
plugin -I net.shibbleth.idp.plugin.jetty
The amount of work will depend on how lenient the customers will be (so we will need to engage with them)
But first I want to get all the post install configuration script driven (if possible)
Scott
IdP patch
Metadata gen still broken, but not planning to rush that out. Suggesting we fully deprecate that for 6.0 and build a new online flow to generate IdP metadata after install if desired.
SP development
Most of SAML 2 initiator working, supporting options from profile config combined with agent input, subject to policy
Working on “state token” management implementations for RelayState, have untested versions using StorageService and cookies as in current SP
Don’t see a practical way to avoid exposing resource URLs to the hub, though I’d rather that weren’t a requirement, though in principle an agent could build more code inside itself to mask them, I just don’t intend to.
Tom
might miss the call
have a plan for fixing the consent issues
IDP-2304: Attribute Release VM could be improvedResolved
attribute-release template needs a little work after the accessibility changes
will probably add a simple action to validate that all attributes are consented to when per-attribute is false
Other