Shibboleth Developer's Meeting, 2022-03-04

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-03-18. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

Add items for discussion here

Attendees:

Brent

• OSJ-315: Update xmlsec to 2.3Closed

  • Currently marked for 4.2. I don’t recall the background on this. Do we still need to do?

• OSJ-344: Exclude JAXB from xmlsec dependenciesClosed

  • Currently marked for 4.2. Is this just a simple exclude? There’s some discussion about doing things with Rod’s new checking support, etc.

Daniel

Henri

Ready for the next release:

• JOIDC-63: Missing required PKCE code challenges should raise an error in the authorization endpointClosed

• JOIDC-54: Plugin makes indirect use of AWTClosed

• JOIDC-51: Need to populate an SPSession for each OIDC RP accessedResolved

• JOIDC-71: Lack of openid scope in metadata doesn't prevent id_token issuanceClosed

  • The authorize-endpoint is expecting OIDC authentication requests now, and Nimbus verifies they contain openid scope

  • Verified now by flow tests, so we’ll notice if Nimbus’s behaviour changes

Still some final things to be finished:

• JOIDC-76: Facilitate custom response header settings (e.g. CORS)Closed

  • CORS can be handled by IDP-1907: Enable Spring MVC's CORS-handling featuresClosed

  • Testbed incompatilibity is weird: when I print out the contents of the ServletContext in the initializer, I see web.xml contents from the testbed app (not idp.war’s web.xml)

• JOIDC-61: Support metadata policies in the dyn. reg. profile configurationClosed

  • Works and fairly well tested - need to finish unit testing though

  • Currently way too complicated to inject non-default metadata policies via file (multiple beans needed) - must be simplified

• JOIDC-21: Use token authentication for OIDC dynamic client registrationClosed

  • Can CLI really be compatible with the authenticated:true

  • No error handling yet - the successful output is currently TokenResponse JSON - should it be a velocity view instead

  • Unit testing need to be finished

• Ref: users-list discussion. Client secret expiration time is not currently exploited.

Ian

John

Marvin

Phil

Rod

• IDP-1909: Enforcer plugin prevents maven-deploy plugin from uploading artifactsClosed

• GEN-311: Stop populating/maintaining the third party repo.Open

  • Removing central-disabled profile from parent project (main only) for Friday night's builds.

  • Discuss: Add a -P check-m2 profile (again to main only) to assist with releases.

• IDP-1914: Work to ship Jetty 10 with the IdP InstallerClosed

  • Mostly removing things (good)

  • A chance to reconverge to our “standard” jetty base

Scott

• Docs for OAuth work

• New stylesheet/templates merged in

  • Reviewed implications for upgrades

  • New TOTP plugin release needed

• Jetty 10 example page added

• Finishing up backlog for OP and IdP

Tom

• Updates on testing :

  • Browser tests working again after accessibility changes for IdP 4.2

  • Browser tests not working for IdP 4.1

    • Because test code enables IdP 4.2 modules instead of 4.1

    • Working on using installer to set up the IdP during testing

      • Works on Linux

      • Does not work on Windows (unable to run .bat files properly, WIP)

  • Revived Tomcat tests

  • Jetty 10 tests should work once IDP-1905: Ignore keys without valuesClosed is resolved

Other