Notes: idpy dev call, 4 August 2020
Giuseppe, Ivan, Matthew, Heather, Johan, Hannah, John
1 - Status of architecture documentation
No update; focus is on finding a memory leak.
Will be expanding on the internal data representations, and how the microservices are applied to data representations, and how they get back to the external protocol.
2 - Potential new project for idpy
Giuseppe has invited Joseph, the maintainer, to these calls to see about bringing in djangosaml2 under the idpy umbrella.
As a reminder, here are the instructions for adding a project to idpy:
Heather will follow up with the Board in September re: the new project.
3 - GitHub review
Ivan is spending most of his time right now hunting down a memory leak. Other coding is delayed. See Satosa update.
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Status of pkce? OIDC endpoint has support for pkce (a better type of implicit flow). Ivan will be following up on that; sounds interesting.
Question about whether this generates JWK? We do have scripts that can generate the keys:
You can specify what the key will be used for via the ‘use’ parameter. We currently do not specify that, but might be useful to have. Then it will be easier to generate and use those keys.
b. Satosa - https://github.com/IdentityPython/SATOSA
When running Satosa, a host with 1GB of RAM, after about 3-4 days of processing requests, the memory usage has increased. It’s a slow leak in newer versions of Satosa. It may not even be Satosa itself, but one of the libraries (e.g., OpenSSL library, libxml). If you are restarting Satosa regularly, or don’t have a lot of traffic, this may not be a major impact to you.
Using https://docs.python.org/3/library/tracemalloc.html to help hunt down the source of the leak.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Name format work: https://github.com/IdentityPython/pysaml2/issues/601. PySAML2 assumes the name format value is a URI format. This is a bug on the consumption side. When we parse an attribute element and we don’t find a name format attribute, we should indicate that it is unspecified. When we produce an attribute element, then we have an object and we initialize it with the name format, the name of the attribute, and the value of the attribute. If we don’t specify the name format, then the default is a URI format. We may shift to indicating everything is unspecified unless specified as a URI format.
d. pyFF - https://github.com/IdentityPython/pyFF
4 - AOB
Ivan will be on vacation and miss the next call (August 18); we will cancel that call. Next call is 1 September 2020