2022-08-05
Shibboleth Developer's Meeting, 2022-08-05
Call Administrivia
09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-08-19. Any reason to deviate from this?
60 to 90 minute call window.
Call Details
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
@Rod Widdowson https://shibboleth.atlassian.net/browse/IDP-1793 (Why, What, User configuration, plugins)
State of branches across the projects and release plan(s)
Plugin compatibility when we unlock the parent – additional testing requirements or do we just wing it?
Third party cookie API proposal
Attendees:
Brent
https://shibboleth.atlassian.net/browse/JCOMOIDC-41
Reviewed some code for Phil.
https://shibboleth.atlassian.net/browse/IDP-1793
Reviewed some changes for Rod.
Daniel
Henri
Back online next week
Ian
As yet, no upstream Spring Webflow milestone release.
Spring Framework 6.0.0-M5 integrated everywhere, M6 is due 2022-09-15 along with 5.3.23.
Commit jobs now running on
CentOS7-commits
instances, mostly.Please review my mail to
committers@
so that I don’t have to talk through this!
John
Trying again with new Rocky Linux 9 image as of 20220720
Probably going without doxygen and libmemcached
Marvin
Phil
On leave for the meeting. Been in and out of leave for a few weeks, ending end of next week.
Small improvements to the credential resolver. I think I now need to hook up the local credential resolver to also use any public key info from ‘jwk’s inside the JOSE headers to locate corresponding private keys, in addition to the ‘kid’ (keyID) it currently uses (algorithm info is also currently used).
Brent might want to put me straight on that if not.
See the issue for the current logic (which needs reviewing).
Tricky to test ECDHE-ES as the runtime does not support
EC/ECB/PKCS1Padding
. Also not easy to get something downstream to test it e.g. OIDC cert tests. Will try with our OP.
Rod
I've made it an agenda item
Scott
xml-security-c buffer overrun
No exposure in library itself or SP so low priority, will get a patch released at some point
Approaching this as a revocation problem due to client-side storage, with two back-ends, storage service or attribute resolver
Tom
Working on updating/fixing integration tests for Sauce Labs :
removing Sauce Labs dependency (use environment variables + Jenkins Sauce Labs OnDemand plugin for credentials instead)
bump to Selenium 4
bump to Java 17 parent
workaround deprecated Spring Framework method to find available ports
Other