2024-10-04
Shibboleth Developer's Meeting, 2024-10-04
Call Administrivia
09:00 Central US / 10:00Â Eastern US /Â 15:00Â UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2024-10-18. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Add items for discussion here
Attendees:
Brent
JSATTR-6: SAML AttributeQuery DataConnectorOpen
Making good progress. Have some questions for Scott (or others).
Daniel
Looking at better messaging for LDAP PKIX errors.
Henri
JOIDC-227: OIDC RP-init Logout vm Uncaught runtime exceptionResolved
Very simple to fix but was time-consuming to find
JOIDC-200: Support for OAuth2 Pushed Authorization Requests (PAR)Resolved
JOIDC-225: Relocate and improve lookup functions for request message contentsResolved
New lookup functions serve PAR and JAR (request-object logic) in a thread-safe fashion
JOIDC-229: Provide method for strict scope validationResolved
Previously the invalid scopes have simply been filtered out
JOIDC-231: Multiple resource parameters cause MessageDecodingExceptionResolved
Switched the workaround for the Nimbus' resource parameter handling
JOIDC-230: Add flag to block additional audiences from initial access tokenResolved
Ian
Â
John
Docker image minor maintenance: AL2/2023, RHEL8/9
SSPCPP-993: Archive cpp-linbuild builder images in AWS ECRIn Progress
Distilling design notes into Confluence
Marvin
Â
Phil
JWEBAUTHN-29: username that does not canonicalize leads to uncaught exceptionClosed
Any error when canonicalizing the username input into the registration flow is just ignored. It is only used as a way to indicate if the user has FIDO credentials for the MFA logic to use.
JWEBAUTHN-27: Add basic authenticator policyClosed (Dev branch)
Added customisable policies to accept or reject authenticators that create credentials during registration e.g. authenticator provider allow list
Can not yet do this on the supported options (such as UserVerification) of an authenticator in metadata, the metadata spec is wrong and the Yubico libraries are out of synch with it.
Added customisable ‘Inspectors’ that can inspect the authenticator during registration and record capabilities/properties in the credential that gets stored. For example, this authenticator (software say) should only be allowed as a second factor and not a sole factor.
Adding a policy engine for rejecting authenticators/credentials being used during authentication e.g. this is a sole factor authentication, but this credential was created by an authenticator that can only be used as a second factor.
Â
Rod
Its all about the Jetty plugin.
Bludgeoned (I used the verb advisedly) a bat file to configure jetty as a system service on windows
Much testing and fine tuning needed
Started the documentation.
Now is not the time to publish it (I believe)
I need someone else to write the unix bits
And review always welcome
Scott
SP patch getting closer to ready, Xerces 3.3.0 should be voted out next week or the week after.
Planning to move the build for Windows up to the latest everything, OpenSSL 3.3.2, etc., so needs more testing than usual.
OpenSSL 3.3 Windows debug build emits a ton of warnings about corrupt debugging info, not sure what it means.
Unit testing of the new SP’s SAML ACS flow ongoing
Most of the servlet request access challenges there seem to be solved, required some changes to OpenSAML to bypass some checks and assumptions
The SP Servlet object injection model is basically a try/finally around a call to set and clear the SP’s thread local servlet objects, so usually the model is to subclass an OpenSAML class, and call doExecute, doDecode, etc. in the try clause.
Not sure how much I can unit test the artifact binding, maybe something like what CAS tests do with Jetty, not sure.
Tom
IDP-2323: Exception in flow, when consent goes to the databaseOpen
wrote a test for this with Postgres + HikariCP
current behavior is to throw an uncaught runtime exception and present error page to user if the index storage record has an invalid value
method throwing exception is :
AbstractConsentIndexedStorageAction#getStorageKeysFromIndex()
, this is the index record whose value are all of the storage record keysthree use cases
addKeyToStorageIndex
removeKeyFromStorageIndex
pruneStorageRecords
probably should not throw the runtime exception but instead overwrite the index record with whatever data is current
may lead to orphaned records, so log to error for admin to do cleanup ?
Other
Â