Shibboleth Developer's Meeting, 2022-08-19

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-09-02. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

• Artifact names and Maven co-ordinates for the performer previously known as Prince repository previously known as java-support and spring-extensions.

• (rdw:) Windows core (headless) server support.

• IDP-1955: Add attachClasses to the maven-war-plugin in idp-parentClosed

  • Propose we go ahead with this after all.

• Eclipse project files

Attendees:

Brent

• OSJ-354: Suffix the PROTOCOL_MESSAGE category with .SAMLClosed

  • The category logging is actually farther down (about 3 layers deep) in the base class hierarchy. Trying to decide whether to change this and move this all the way to the top-level base class for encoders/decoders.

Daniel

• ldaptive 1.3.x update for IDPv4 (blocking threads)

• ldaptive 2.x update for IDPv5

Henri

• Gson dependency should be removed from OP: it’s only used for parsing the contents from sector_identifier_uri during dynamic registration

• Need to clarify the use of AttributeInOIDCRequestedClaims matcher

  • Current documentation and examples are a bit misleading

• OAuth2Client authentication flow’s c14n step currently uses same c14n flows as end-user authentication flows

  • Perhaps a flag to disable c14n step or customisable set of c14n flows for this flow

Ian

• V4 integration tests now nightly, not on CI chain.

  • Note: no V5 integration tests at present.

• Old and busted: java-support and spring-extensions repositories. New hotness: java-shib-shared multi-project repository.

• Spring Web Flow 3.0.0-M1 has been released, including our code.

  • I have rebased our fork, and we’re still using it at present.

  • Do we have anything else we want upstream to consider?

  • If not, it is probably time to switch over to the upstream milestones and retire ours.

  • I’d disable jobs and remove old snapshot artifacts to avoid confusion, but stand ready to re-enable them if we need to do more work. I would not delete the fork.

John

Marvin

Phil

• JCOMOIDC-41: Move OIDC Signature Validation resolvers and parameter classes to commonsClosed

  • As per Brent’s suggestion, converted the encryption classes to JWT specific ones without the KeyInfo etc. stuff

  • Lead to a bit of refactoring and some big changes to the ‘Basic’ encryption parameter resolver, which then needed to become more JWT focused given we actually use Nimbus encrypters.

    • Which lead to many changes in JOIDCRP-17: Add JWT Encryption Parameter Resolver SupportClosed which needs review.

• Suggestions for small improvements to the OP’s encryption JOIDC-122: Support jwk or jku in encrypted JWT headersClosed. Not sure supporting direct encryption is all that useful given there is no algorithm descriptor for it and I am not sure how you share that secret with the OP (other than client_secret).

• Usual RP cleanup work

• Need to finish JCOMOIDC-45: Add a Decrypter for JWE tokens similar to the opensaml DecrypterClosed

• ‘Merging’ the dev commons branch into main is going to be messy, need to ensure the OP does not break.

Rod

• IDP-1793: Use Suppliers for HttpRequest/ResponseClosed

• Misc tidy

• (yet) another JDBC Storage Service plugin release

• Next up IDP-1927: Make Jetty run under its own credentials for windows installsClosed

Scott

• IDP-1992: Add a DateTimeAttributeValue type to avoid formatting conversionsClosed

• IDP-1994: Removal of joda-time from APIs and dependency setClosed

• IDP-1973: Don't traverse directories under conf/ that is forbidden by permissionClosed

  • Needs extensive testing

Tom

• testbed

  • need to change the idp-war dependency in the POM from JAR to WAR, i.e. from

    <dependency> <groupId>${idp.groupId}</groupId> <artifactId>idp-war</artifactId> <version>${idp.version}</version> <scope>runtime</scope> </dependency>

    to

    <dependency> <groupId>${idp.groupId}</groupId> <artifactId>idp-war</artifactId> <version>${idp.version}</version> <scope>runtime</scope> <type>war</type> </dependency>

    to build from the CLI, but this breaks running the testbed in Eclipse.
    Maybe IDP-1955: Add attachClasses to the maven-war-plugin in idp-parentClosed would help, idk.

• Added Jenkins jobs :

  • java-idp-testbed-v5

  • java-idp-integration-tests-v4.2.1

  • Working on java-idp-integration-tests-v5

• Suggest changing default log level from debug to either warn or info in idp-conf/src/test/resources/logback-test.xml similar to idp-conf-impl because Logback picks this up when running the integration tests

• Could use help with the AttendedRestart feature

  • example openssl command to password protect an existing private key ?

  • configured properties and beans, but flow/view does not appear, just get OpenSAML error message
    
    

Other