2025-05-16
Shibboleth Developer's Meeting, 2025-05-16
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2025-06-06. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Urgency? I would claim not terribly high, certainly has a ton of crazy assumptions.
Workstreams or questions to address…
SP agents authenticating hub – questions around viability of the options we have for this on Windows
Board meeting updates
Attendees:
Brent
Will be out June 4-28, so not around for those calls
https://shibboleth.atlassian.net/browse/JSATTR-6
Still making progress, hope to have working by end of May before PTO
Daniel
Henri
Absent today, apologies
https://shibboleth.atlassian.net/browse/JOIDC-222
Main topic lately: metadata policy
The new implementation is compatible with the Connect2Id test vectors
Vectors are integrated to unit testa and one flow test (to start with)
The special case (OAuth2 scopes) is now handled correctly
Space-separated list of values is transformed into a list for the operators
Our old policy use cases (OIDC dyn.reg. and unregistered client policies) work as before
Some fine-tunings to the explicit registration flow
Ian
Wondered why everything looks vaguely like Comic Sans today? Atlassian have their own terrible fonts now.
No, there does not seem to be a way to disable the new throbbing “someone else is also looking at this page” indicator at the top of the page.
Red Hat Enterprise Linux 10 is now GA (more or less).
ssh d10bfrom the jump host for my test instanceJava 21 seems to be the only version available from Red Hat this time, although I’d guess they will add 25 later in the year.
Debian 13 (Trixie) is expected late May or June.
ssh trixefor the current snapshot oftestingJava 8, 11, 17, 20, 21, 22, 23, 24 and 25 in various states of support
Platform for IdP v6? 17? 21? 25?
Spring Framework 7 will still support Java 17.
John
Absent from the DEV call today
Bumped RHEL 10 images to GA, completed test builds, and deployed test EC2 instances
Marvin
Phil
Releases:
WebAuthn 1.2.0
DuoOIDC 2.2.1
WebAuthn:
https://shibboleth.atlassian.net/browse/JWEBAUTHN-55
Adding a BiConsumer to allow you to run some logic for success and failure audit events in various WebAuthn registration functions e.g. add/remove keys.
OIDC RP:
https://shibboleth.atlassian.net/browse/JOIDCRP-74 and https://shibboleth.atlassian.net/browse/JOIDCRP-75 based on the draft Updates to Audience Values for OAuth 2.0 Authorization Servers
This is on the agenda.
Rod
PKIX misery/WinHttp
Scott
Not especially productive (esp. after that paper dropped), but making slow progress on SP session cache
Reimplemented cleanup logic using C++11 thread/concurrency APIs
Starting to sketch out API and SPI (for backend persistence create/read/delete)
Update operations are the major problem, not only because of basic challenges but because we want to avoid constant per-request polling or updating of the data to keep agent processes in sync, which limits what we can actually allow be changed.
An option on the table is occasional session “replacement” where updating the content of a session results in issuing a new session and updating the cookie, causing subsequent requests to new processes to have to load in the replacement session.
Presuming a touch operation that runs “intermittently” on a configurably interval will “write through” to update last access time so other processes eventually see it
Tom
still working on tests https://shibboleth.atlassian.net/browse/IDP-2323
need to update tests with new Jetty, Tomcat, Java and fix RP and OP tests
Other