Shibboleth Developer's Meeting, 2022-08-05

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-08-19. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

• @Rod Widdowson IDP-1793: Use Suppliers for HttpRequest/ResponseClosed (Why, What, User configuration, plugins)

• State of branches across the projects and release plan(s)

  • Plugin compatibility when we unlock the parent – additional testing requirements or do we just wing it?

• Third party cookie API proposal

Attendees:

Brent

• JCOMOIDC-41: Move OIDC Signature Validation resolvers and parameter classes to commonsClosed

  • Reviewed some code for Phil.

• IDP-1793: Use Suppliers for HttpRequest/ResponseClosed

  • Reviewed some changes for Rod.

Daniel

Henri

• Back online next week

Ian

• As yet, no upstream Spring Webflow milestone release.

• Spring Framework 6.0.0-M5 integrated everywhere, M6 is due 2022-09-15 along with 5.3.23.

• Commit jobs now running on CentOS7-commits instances, mostly.

  • Please review my mail to committers@ so that I don’t have to talk through this!

John

• SSPCPP-953: Support building RPMs for Rocky Linux 9Closed

  • Trying again with new Rocky Linux 9 image as of 20220720

  • Probably going without doxygen and libmemcached

Marvin

Phil

• On leave for the meeting. Been in and out of leave for a few weeks, ending end of next week.

• JCOMOIDC-45: Add a Decrypter for JWE tokens similar to the opensaml DecrypterClosed

  • Small improvements to the credential resolver. I think I now need to hook up the local credential resolver to also use any public key info from ‘jwk’s inside the JOSE headers to locate corresponding private keys, in addition to the ‘kid’ (keyID) it currently uses (algorithm info is also currently used).

    • Brent might want to put me straight on that if not.

• JOIDCRP-17: Add JWT Encryption Parameter Resolver SupportClosed

  • See the issue for the current logic (which needs reviewing).

  • Tricky to test ECDHE-ES as the runtime does not support EC/ECB/PKCS1Padding. Also not easy to get something downstream to test it e.g. OIDC cert tests. Will try with our OP.

Rod

• IDP-1793: Use Suppliers for HttpRequest/ResponseClosed I've made it an agenda item

Scott

• xml-security-c buffer overrun

  • No exposure in library itself or SP so low priority, will get a patch released at some point

• IDP-995: Administrative logout featuresClosed

  • Approaching this as a revocation problem due to client-side storage, with two back-ends, storage service or attribute resolver

Tom

• Working on updating/fixing integration tests for Sauce Labs :

  • removing Sauce Labs dependency (use environment variables + Jenkins Sauce Labs OnDemand plugin for credentials instead)

  • bump to Selenium 4

  • bump to Java 17 parent

    • workaround deprecated Spring Framework method to find available ports

Other