Hola a todos!
As discussed on the last call, we’re going ahead and canceling the call for 22 December. THAT SAID! Please fill out the doodle poll so I can get the 2021 series of calls on the calendar. Right now, only four people have responded. I you have an opinion about when the calls should happen, please fill out the poll:
https://doodle.com/poll/vtdidxvpstvzb8vc?utm_source=poll&utm_medium=link
Thanks! Heather
Hi!
I had a question from Torsten Lodderstedt, who some of you know, on whether our OIDC/OAuth2 implementation
supported all the features that the FAPI 2 baseline stipulates.
Turns out we do support most of them (PKCE, PAR and the new iss authorisation response parameter).
What we don’t have support for is RAR (https://tools.ietf.org/html/draft-ietf-oauth-rar-03 <https://tools.ietf.org/html/draft-ietf-oauth-rar-03>).
The new session/grant subsystem has hooks for it but we’re lacking the part that actually can use it.
I don’t think that GEANT has any use for RAR but I may be wrong. If so I’d like someone to tell me.
The larger question is of course: should we care what FAPI/FAPI 2 demands ?
Or ultimately, our customer what do they want ?
Anyone knows who are customers are ?
Anyone with an idea as to who we would like to be our customers ? Except for the HigherEd and Research ?
— Roland
Can anything be sadder than work left unfinished? Yes, work never begun. -Christina Rossetti, poet (5 Dec 1830-1894)
Hello idpy developers!
ON the last call, the group suggested sending out a poll oto see if our current call time slot works for 2021, or if there might be a better one for the participants. I’ve put together a poll to see if we can answer that question. When you fill out the poll, please consider whether you can make that time slot every other week, and not just that one day.
https://doodle.com/poll/vtdidxvpstvzb8vc?utm_source=poll&utm_medium=link
If you could fill that out before you head off for any vacations you might be taking this year, I would greatly appreciate it!
Thanks! Heather
Attendees:
Ivan, Giuseppe, Heather, Hannah, Roland, Scott, John P, Johan, Nikos
1 - Status of architecture documentation & Normalizing idpy projects (see email from Ivan, "Subject: [idpy-discuss] Normalizing across all projects”, 10 November 2020)
Before we make djangosaml2 part of idpy, we should have a stronger set of guidelines on what we expect in terms of managing a project (using semver, readthedocs, change logs, etc). Could also use something called “cookie cutter” which does several of the set up of these kinds of things for projects in GitHub. While we would not create new project spaces for projects that come in with their own repository, it would allow for a type of model and technical documentation on how we think projects should look like. Note that this would let us to also normalize on how we handle issues, what labels we use, PR templates, a common FAQ, tooling to build and test packaging, boilerplate (README, LICENSE, etc)
• Example: https://github.com/SUNET/eduid-webapp/tree/master/cookiecutter-app
Ivan will continue to write up his thoughts in email.While Ivan can make these decisions for Satosa and pySAML2, need input from other maintainers.
Discussion:
• We can agree to semver and pep8, but some of the other things we’ve been talking about are very heavy for some of the smaller projects.
• Do we know who our customers are, and what they need? Will they be taking our libraries and using them to build their own use cases? Or are they looking for a packaged service they can just run? We can’t cater to both. Can we have two categories of rules? One size won’t fit all projects.
• What about change logs? They send a good signal to deployers about what to watch for when they upgrade (or help them decide if an upgrade is required).
Consensus:
• semver
• pep8
• readthedocs
• README and LICENSE files
• PR and issue templates (already exist)
• Change logs
3 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
New project for the documentation on session management (code is still in oidcendpoint). Since readthedocs can’t handle documentation for forks, this allows the publication of material before the code is even final. Has not pushed to readthedocs yet; will aim to have that done before the next call.
b. Satosa - https://github.com/IdentityPython/SATOSA
No changes.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
There was a bug in the redirect binding, where the request was also going to be signed. The problem is that by default, if the signing algorithm was not specified, the right parameters were not produced. This has been fixed. In the same PR will be Giuseppe’s work on configurable signing and digest algorithm (see https://github.com/IdentityPython/pysaml2/pull/744) Ivan will be pushing a commit with partial notes (in the form of bullet points) and other people involved will help turn that into proper documentation. We will need to refactor the whole process of signing, encryption, and decryption.
d. pyFF - https://github.com/IdentityPython/pyFF
4 - AOB
Thanks! Heather
Hello everyone,
at the last idpy meeting, we started a discussion around normalizing
how idpy projects operate. The goal is to agree on a baseline on how
we treat different project aspects and how we can harmonize those in
order to give users uniform expectations. A user that is familiar with
how project-x works, should automatically be familiar with how
project-y works when they decide to use that too. The first step is to
agree on guidelines, and then have each project steadily work its way
to that. In the process, we should effectively be cultivating a
culture on how we manage projects, and not blindly follow policies.
The initial discussion started around documentation, versioning and
changelogs. Many more things can and should be discussed. Those
include topics such as tooling, CI/CD, testing, packaging, release
schedules, issues management, git-workflow, etc. I will expand on some
of those topics and we can further discuss in this or separate threads
or in the following calls about each one.
## Documentation
I think we can all agree that documentation is important and needed. I
make a distinction between documentation whose audience is a user and
documentation whose audience is a developer. The user-documentation
consists mainly of the project API, how it is used, and use-case
scenarios. The developer-documentation consists of architectural
diagrams, design choices, separation of entities, and general guidance
on how modules are separated and code is organized.
Being part of the python community, the natural tool around
documentation is https://readthedocs.org/. Readthedocs works in tandem
with Git(Hub) projects, and can automatically be kept in sync with a
repo.
- Do we agree to use https://readthedocs.org/ to publish documentation?
- Should we request PRs to include documentation? or, should we
fill-in the documentation when creating a new release?
## Managing change
### Versioning
What we actually want to do with versioning is _signal_ the type of
changes that are part of a new release. The most common versioning
scheme is semantic versioning (https://semver.org/) - other things out
there include CalVer (https://calver.org/) Apache versioning
(https://apr.apache.org/versioning.html) and more. However, I think
semver is quite common and probably everyone will agree that it's
fine. Most importantly it achieves the goal of signaling in a simple
way:
> Given a version number MAJOR.MINOR.PATCH, increment the:
>
> - MAJOR version when you make incompatible API changes,
> - MINOR version when you add functionality in a backwards
> compatible manner, and
> - PATCH version when you make backwards compatible bug fixes.
>
> Additional labels for pre-release and build metadata are available
> as extensions to the MAJOR.MINOR.PATCH format.
- Do you think we should use semver?
### Changelog
Same as with documentation, the Changelog comes in two flavours - the
changelog that is intended for developers, and the changelog that is
intended for users (aka release notes). The technical-changelog is the
VCS-log itself and contains purely technical entries on how the code
was modified to achieve a certain effect. We have the technical
changelog for free.
On the other hand, the user-changelog has the form of a set of release
notes. The release notes should be enough to explain what’s going on
to someone deploying the package, or to a user that wants to use new
functionality - it is a summary of the new release value. This type of
changelog cannot be autogenerated, and we must write and curate by
hand. As with versioning, there are some formats out there, but I
think something like keepachangelog (https://keepachangelog.com/) is
easy to use and very close to what most of us would end up with while
trying to specify a consistent format.
When should the user-changelog be updated? Usually this is done either
at release-time.
- Should we maintain a changelog/release-notes?
I will continue this subject with more topics, soon. I'm looking
forward to your thoughts!
Cheers,
--
Ivan Kanakarakis
Attendees:
Ivan, Heather, Giuseppe, Johan, Roland, John, Hannah, Matthew, Christos, Leif
Regrets:
Scott
1 - Status of documentation
Hannah is still working on the pySAML2 documentation.
Scott K is working on reorganizing the documentation he’s written on GitHub (how readthedocs is organized and presented)
No update on the architecture documentation, but it is coming up in priority.
Board considers documentation (both user and developer) critical as a way to grow the community.
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Regarding documentation, we need a central site that describes how it all fits together. Could we use readthedocs for this? Possibly, but we would need link from the project sites to the documentation site.
We have some new people programming in this space: Ori Mizrahi and David Hess.
Roland is working with the session management backend.This is mostly working; focusing on the tests now to make sure it works in all cases. When that’s done, it will be very different from the old version. Documentation will be absolutely required (background, design choices, how to use it in context). See branch “new session handling” in https://github.com/IdentityPython/oidcendpoint
b. Satosa - https://github.com/IdentityPython/SATOSA
Within eduTEAMS, had an incident that may be related to the memory leak. Unclear, and no more info is available.
We have a contribution for an apple signing backend.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Ivan is working through the algorithm PRs (744 and 745). They aren’t quite passing tests, but as soon as those are sorted, they will be merged.
• https://github.com/IdentityPython/pysaml2/pull/744
• https://github.com/IdentityPython/pysaml2/pull/745
Namespace prefix changes to make them more readable. This is mostly a “nice-to-have”.
• https://github.com/IdentityPython/pysaml2/pull/326
• https://github.com/IdentityPython/pysaml2/pull/625
Priority list:
• Make algorithms configurable, enforcing the policies (see https://github.com/IdentityPython/pysaml2/pull/744 and 745)
• Getting away from xmlsec1 and instead working in memory. Expect we will switch to lxml.
• Architecture documentation
AOB
• At the Board meeting, we talked about normalizing some things across all projects. Example: documentation using readthedocs; how we manage changes and versions (e.g., semantic versioning); change logs. The group needs to discuss this further. We need to add these to future agendas (and to the mailing list) for discussion.
• The goal isn’t to enforce this harmonization immediately, but to give each project a direction to start making changes.
• If we use readthedocs, it is structured by projects, so even general documentation will need to be structured as a “project"
• For change logs, there is what’s automatically available with a revision control, but that doesn’t always describe adequately what actually happened. What may be more useful would be a set of release notes. The release notes should be enough to explain what’s going on to someone deploying the package, and gitlog is what you need as a developer to understand what’s going on. We have discussed this and semantic versioning at a TIIME meeting in 2019. pySAML is not using semver because they decided to have Ivan only work on the current/future work, and only back ports handled the patch version.
• Ivan will post a summary and a recommendation around this discussion re: versioning and change logs to the list.
Thanks! Heather
Hello all,
Our dev call scheduled for 27 October is cancelled. If you have any urgent questions or issues, please drop a note to the appropriate slack channel. Otherwise, see you on 10 November!
Thanks! Heather
Attendees:
Ivan, Matthew, Heather, Hannah, John P, Giuseppe
Regrets:
Scott
1 - Status of documentation
Hannah Sebulibah will be meeting with Ivan to figure out where to start on documentation. Will likely start from the current configuration, which will help with cleaning up existing options and fixing the defaults. The API will also need help, but that’s a much bigger project and Ivan needs to do some work first. Scott has also started creating issues with where he wants to work on items.
pySAML2 has a readthedocs connection, and we need to reorganize the top-level headers. What’s there is mostly about the configuration options, and it is missing material.
We could also use the minimal working example of an IdP; Matthew has a gist about this.
Satosa does not have a readthedocs connection; nothing generates documentation. Readthedocs can use markdown, which will be less work on our side.
Ivan will also be updating the architecture docs, esp. around the middleware. Hasn’t gotten to that yet.
2 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Recent focus in GitHub has been on oidcendpoint. The people involved in the OIDC project are debating frequent small releases vs larger, more complete releases with more thorough testing approx. once a month. When something is decided here, we should likely have the same policies across all the projects. We can also focus on pre-releases. A goal is to have automated testing and release with each tag. Suggest we focus on following the change log format guidelines as here: https://keepachangelog.com/
Roland is working on a new session back-end. There is some concern that this may result in a breaking change.
b. Satosa - https://github.com/IdentityPython/SATOSA
Memory leak still a mystery.
Should probably have its own key manager that is shared between its front ends and back ends.
We have some merge requests, mainly around documentation, with a bit about the plop front end.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Will be working on automated pre-releases.
Have been updating based on current issue list and some PRs. See:
• https://github.com/IdentityPython/pysaml2/issues/720#issuecomment-700694146
• https://github.com/IdentityPython/pysaml2/pull/727 - logout response location
• https://github.com/IdentityPython/pysaml2/pull/728 - logout response location
• https://github.com/IdentityPython/pysaml2/pull/704 - default name format
• https://github.com/IdentityPython/pysaml2/pull/721 - Increase key size in demo key generation (note this is probably still too small; proper fix is to switch algorithms
• See also: https://github.com/IdentityPython/pysaml2/issues/712 to support switching algorithms
• https://github.com/IdentityPython/pysaml2/pull/597 - needs to be expanded to include enforcement
• Using a key manager would make handling keys easier, but it is not a priority
Priority list:
• Make algorithms configurable, enforcing the policies
• Getting away from xmlsec1 and instead working in memory. Expect we will switch to lxml.
Thanks! Heather
Hello everybody,
As you may have guessed from the subject of this email, I have the pleasure
of presenting here djangosaml2, in anticipation of its migration to
Identity Python.
In CC Jozef Knaperek, former contributor of pysaml2 and person who from
2016 to date has maintained the fork of this project, now hosted in the
personal github, which today has a fair audience and satisfaction within
the Django community.
Here is:
https://github.com/knaperek/djangosaml2
As is evident, djangosaml2 is an application designed for Django Framework,
written above pysaml2 that presents closely related goals to this. This is
why we believe that bringing djangosaml2 to idpy can be quite natural, and
if we want it also advantageous, for the possibility of increasing its
community.
Currently the project is published on Pypi and the version release policy,
and acceptance of contributions, depends on validating the code by running
unit tests (Tox over Github actions). The coverage of djangosaml2 is
currently less than 80% in the v0.40.1 but higher than 90% for the v1.0.0
version (see branch of the same name). The latter is in the process of
being released and it might be a good opportunity to release it directly
within idpy.
The versions from v0.19.0 to v1.0.0 were made possible by a great
enthusiasm, which arose within its community, manifested following the
first interactions for the requalification of the project, as regards the
feedback offered both in the issues and in the PR pending. Having given so
much trust activated several contributors in a relatively short time makes
us optimistic about the general resilience of the project, such as to think
about the good health of its community and not least the possibility that
this project could hopefully continue to live on external contributions
only.
In any case, the people that are glad to present here djangosaml2, for whom
we undertake the commitment of a management over time, are Me and Knaperek.
I know that we have not written everything but rather we fear we have
written too much. We are available to answer in this thread on further
organizational and managerial aspects of the project.
Sure of your kind reply, we greet you
--
____________________
Dott. Giuseppe De Marco
CENTRO ICT DI ATENEO
University of Calabria
87036 Rende (CS) - Italy
Phone: +39 0984 496961
e-mail: giuseppe.demarco at unical.it
--
------------------------------------------------------------------------------------------------------------------
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
<https://www.unical.it/portale/portaltemplates/view/view.cfm?100061>
