Shibboleth Developer's Meeting, 2023-02-17
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-03-02. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
Add items for discussion here
Attendees:
Brent
- JSSH-16Getting issue details... STATUS
Plan on pushing all the updated projects early next week.
All IdP stack + metadata aggregator (just a runtime dep). Missing anything?
Likely some minor odd/ends left, but get the major bits of the refactor into main branches.
Anyone else planning any big commits in that timeframe? We should coordinate to avoid stepping on one another.
Hit a couple of unknown (to me) aspects of HttpClient, interesting to note for the future.
Unconditional retries of failed connections over all resolved DNS entries for hostname, where “failed” includes a TLS handshake failure.
We effectively disable connection pooling in our HttpClientBuilder by default via use of RequestConnectionClose interceptor.
Our TrustEngine-based TLS fails on second and subsequent requests unless this is enabled. Need to see if there is a way to address this.
Were we ever expecting to need or want HTTP/2 support? The HC classic client does not support and “
most likely never will
” per the HC developer.
Daniel
Conflict today, cannot attend.
Henri
- JCOMOIDC-41Getting issue details... STATUS
Global exclusion now works and tested for signature validation
Decryption configuration seems to work, but request object logic needs to be improved (see below)
Working on signature signing tests (id_token, JWT access token, userinfo) - spotted one bug with EC keys
Encryption tests with varying configurations still totally missing
- JOIDC-142Getting issue details... STATUS
So far OP has only supported the use of RP metadata for security configuration
OP should also exploit the new predicates used by RP (force use of request objects, signing and encryption)
We should also support forcing specific attributes to be included in the request object
Ian
John
Marvin
Phil
Extra tests and cleanup for the RP
- JCOMOIDC-65Getting issue details... STATUS
The config module is now fully operational as a plugin —I needed to add sub-modules so the assembly of the tar.gz made sense
Basic wiki page up
Added include and exclude algorithm checks to the trust engine. The others had it and I forgot.
- JCOMOIDC-48Getting issue details... STATUS
This is working out of the config module.
I’ve installed all three plugins (commons, config, and RP) into my running IdP and it is working fine.
I will install the OP snapshot as well to check.
Will release RP 0.10.0 today or Monday, and will host snapshots of oidc-commons and oidc-config on the downloads site (as before, but now with the config).
Nimbus fixed their truncation bug, so I’ve updated commons to the latest version
Rod
Unable to attend
Use the recommended setting from https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1122271670/Configuring+Eclipse#Recommended-Configuration and on a sub project by sub project basis remove all the red (errors) and take a preliminary pass at the yellow (warning)
Not spending much/any time on test code right now
Making notes in the case of any oddities I encounter or leitmotifs (
Instant.now()
is an example of ‘I know it’s non null but eclipse doesn’t’Currently up to cas-impl
Scott
- JSPROF-1Getting issue details... STATUS
RelyingPartyResolverService reimplemented to be CriteriaSet-based and is outside IdP
Removed “hide the ServiceableComponent API” abstraction, may revisit same issue for metadata, access control
Working on ProfileConfiguration cleanup, moving “most” API usage to interfaces, may move all the concrete classes back out of API
SP and IdP overlap is not that extensive here but will share what little there is
Tentatively not planning to produce shareable SAML 1 interfaces at this time
Tom
Jenkins
Created jobs for :
Updated Linux and Windows AMIs
When should we start using Maven 3.9.0 ?
spent most time scripting installers, which we have for :
all the necessary versions of Oracle Java and Amazon Coretto
Maven
webdrivers : geckodriver and chromedriver*
* no signature
why is TLS trust not sufficient, remind me ?on Linux and Windows
private repo tzeller/java-parent-project
Suggestion : PGP KEYS files should be prefixed with the project, e.g.
SHIBBOLETH-KEYS
MAVEN-KEYS
GECKODRIVER-KEYS
etc. or some other naming convention
I know Rod’s out but it might be nice if the IdP (or I guess SP) installer could download and validate updates :
e.g. bin/install.sh --download-latest-version-and-validate-signature