Attendees:
Giuseppe, Ivan, Johan, Roland, JohnP, Scott, Heather, Peter
1 - GitHub review
a. OIDC - https://github.com/IdentityPython
Released 2.0 a few weeks ago (https://github.com/IdentityPython/oidc-op/releases/tag/2.0.0) Discovered some backward compatibility issues that are being addressed; 2.1.0 will be released this week. These issues were not discovered in testing and impacted eduTEAMS in particular. We can add them in tests now that we're aware of them. Community is always encouraged to help with testing prior to releases.
What might also help: if the eduTEAMS project had routinely been making code available for others to use, some of this could be avoided as there would be more eyes on the work
Question about the OIDC front end: idpy does not maintain pyOP; we encourage people to look instead to oidc-op. For Satosa, we don't have another choice at this time. By default, we promote the new one, but it is possible to create a module to use the old one that uses pyOP. We don't really have a date for the changes as it depends on eduTEAMS.
Question about identity assurance (https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html) Roland has most of the code, but there are handling issues. Example: if you get the information from different sources, they will verify information in different ways and you'll need to keep those separate. Roland expects to have something in another week that people can use to start testing. Assurance may relate to having a digital wallet; we haven't considered this much in the overall architectures for idpy. What about WebAuthn? Giuseppe has a PoC.
Question about logout: this is an ongoing challenge, and logout has known issues. Until those are a bit more clear in terms of what can be supported, not sure it's useful to build logout models into Satosa.
b. Satosa - https://github.com/IdentityPython/SATOSA
Satosa and microservice from Peter Gietz: https://gitlab.daasi.de/didmos2/didmos2-auth, https://gitlab.daasi.de/didmos2/didmos2-auth/-/tree/master/src
Please send additional updates and questions to Slack
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Please send updates and questions to Slack
d. pyFF - https://github.com/IdentityPython/pyFF
Please send updates and questions to Slack
2 - Discussion
FYI - work is continuing on creating the W3C FedID Community Group. Draft charter is here: https://github.com/hlflanagan/fedidcg. Will have a call to discuss the charter on July 6 @ 13:00 UTC.
Thanks! Heather
Hi!
I guess there will not be an idpy call Tuesday 15th ?
Due to the collision with the Geant "Trust and Identity updates and strategy consultation” call.
https://events.geant.org/event/656/ <https://events.geant.org/event/656/>
— Roland
The higher up you go, the more mistakes you are allowed. Right at the top, if you make enough of them, it's considered to be your style.
-Fred Astaire, dancer, actor, singer, musician, and choreographer (10 May 1899-1987)
https://pypi.org/project/oidcop/2.0.0/ <https://pypi.org/project/oidcop/2.0.0/>
— Roland
Were it left to me to decide whether we should have a government without newspapers, or newspapers without a government, I should not hesitate a moment to prefer the latter. -Thomas Jefferson, third US president, architect, and author (1743-1826)
Hi!
A discussion item for tomorrow's meeting.
pyop
Last release feb 2019.
Based on pyoic which doesn’t belong to our set of packages and is in fact a competitor to one of our own
packages.
I think we should mark it as archived and point people to the Flask based OP example in oidc-op.
In connection to this we might want to streamline installing and running the oidc-op example.
— Roland
“The first principel is that you must not fool yourself — and you are the easiest person to fool”
— Richard Feynman
Hello all,
(So much cross-posting. I can’t really even be sorry about doing it; the conversations are happening EVERYWHERE!)
The Federation & Browsers workshop this week was quite the experience!
tl;dr - a new W3C community group is forming to focus specifically on federated identity on the web. I am working on the charter with a handful of others, and hope to have our first call within the next 3-4 weeks.
The first day of the workshop was primarily presentations from browser vendors (Google, Microsoft, and Mozilla, with some short comments by Apple) and large IdPs (Google, Microsoft, Facebook). People were able to submit questions and vote on them to direct where we took day 2.
Day 2 was all about discussion, kicking of with a discussion on whether we all agreed to these two statements:
• Non-transparent, uncontrollable tracking of users across the web needs to be addressed and prevented.
• Federated login and tracking tools use the same primitives and are indistinguishable from non-transparent, uncontrollable tracking from the browser’s perspective; browser’s proposed mitigations for tracking will impact federated identity.
(Result: General agreement, but with significant uncertainty about the specifics.)
We wrapped up with a discussion about how to keep the conversation moving, and the group agreed to the formation of a W3C community group specifically focused on federated identity on the web. If and when a broader identity community group is formed (which would cover additional topics such as Decentralized Identifiers), then the federated identity CG would be considered a sub-group of the more general one.
I’m in the process of converting the notes to markdown format; their final location will be here:
https://github.com/WICG/WebID/tree/main/meetings/2021
You can already find some of the slides from presenters in that repository.
If you want an early look at the notes, they were taken in Google docs:
Day one: https://docs.google.com/document/d/16wj6UnlaePCE0sdVfkVSwoBMHuFphLuv2sptxdQ…
Day two: https://docs.google.com/document/d/1nZt-bU-9FeoaavSuB6KPC7d3vyKuOhnA5QAd8kT…
Thanks! Heather
Attendees
Johan, Heather, Giuseppe, Scott, Roland, Ivan, Hannah, John P, Peter Gietz
0 - Agenda bash
1 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
There are a number of packages in the OIDC space. Will be merging some of these to make for easier maintenance; nothing is being removed, just rearranged. Example: moved OIDC endpoint into OIDC OP.
This happened at the same time when we rewrote persistence storage, the session handling tools, and cookie handling.
Outcome: major rewrite from what we had before we started the work.
There are 3 issues open and 2 PRs that need to be dealt with. Goal is to sort out the PRs and issues and then release 2.0 later this week.
As always, there is an ongoing need for documentation.
---
Detailed merger breakdown:
CryptoJWT - OidcMsg -+- oidcendpoint - oidc-op
|
+- oidcservice - OidcRP
now we have
CryptoJWT - OidcMsg -+- oidc-op
|
+— OidcRP
We accomplished this by including oidcendpoint into oidc-op and oidcservice into OidcRP.
The inclusion was made in such a way the all classes and functions defined in oidcendpoint would appear under the same name in oidc-op.
This meant that users of oidcendpoint would in the future have to change
from oidcendpoint import XYZ
to
from oidcop import XYZ and everything would just work. Likewise for oidcservice and OidcRP.
Beside doing this change we also rewrote:
- session management
- persistent storage
- cookie handling
Regarding persistent storage and cookie handling our goal was that the oidcop should not deal directly with these tasks.
Oidcop should provide a frontend with access to the information that should be stored in/retrieved from a persistent storage but not handle the storage per se.
Likewise oidcop should provide the information that should be in the cookie payload (the cookie value) but not construct and release cookies.
---
Suggest updating the readme of the retired packages and then archive those packages so they are read-only.
Giuseppe has offered some updates on the federation draft. Looking for more organizations willing to pilot the spec. There are some concerns re: the security considerations section. There is a potential for a DoS via one of the APIs. That needs to be included in the security considerations section with some kind of statement that standard mitigations for DoS applies.
Release-drafter notes: https://github.com/IdentityPython/oidc-op/releases/tag/untagged-fad801bc6e3…
b. Satosa - https://github.com/IdentityPython/SATOSA
Planned work on Satosa is around the cookies. When we get a request, we hardcode which part of the request will be kept. Giuseppe is helping build the list of what will be kept.
Peter Gietz has developed several microservices for Satosa:
----
Production ready implementation of:
• Authentication against an LDAP server
• SCIM attribute store to fetch attributes via SCIM API (instead of LDAP)
• Authoritzation module for blocking services if necessary group memberships or attributes are missing in the identity (for service providers that do not evaluate attributes themselves)
• Backend chooser with Django UI for letting the user choose between any existing SATOSA backend
• Integration of MFA via PrivacyIDEA
Prototype implementations of:
• OAuth2 frontend supporting different OAuth2 flows for clients
• Authentication via TLS client certificate
• Authentication via Kerberos
These all are more or less capsuled as Micro Service, so although we would be happy to contribute the production ready stuff, we would have no problem to keep it as separate Open Source publications.
This will not be possible in a next project, where we need to do amendments in the core product. Basically it is about implementing an optional feature (Key ID in the JWKS response). Here we would have a big interest if this can be taken over into the SATOSA distribution, so we do not need to create a fork and maintain that. Our motivation: we encountered an application that expects such and throws errors, if KID is not present. David or I will write a separate email with more technical details on this.
Code is currently hosted here: gitlab.daasi.de
---
Question as to where to host these, either under Satosa or under a separate repository. If hosted under Satosa, then they will need to be managed in parallel with the other changes in Satosa. If hosted separately, then the maintainer (Peter) has more flexibility about how and when code is updated to match. A third option involves having a separate repo for microservices which will allow more flexibility for deployers to choose what to install; this will be the eventual direction for all microservices.
For now, we will add pointers to the gitlab code.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
New releases for pySAML2 (v 6.5.2 and v 7.0)
• https://github.com/IdentityPython/pysaml2/releases/tag/v6.5.2 - added support for the Shib metadata scopes; various bug fixes; see release notes
• https://github.com/IdentityPython/pysaml2/releases/tag/v7.0.0 - breaking change that changes the default encryption methods. Default algorithm is now rsa-oaep-mgf1p
• next: looking at the old PRs for certificates (how we load them, how we use them, etc)
d. pyFF - https://github.com/IdentityPython/pyFF
Thanks! Heather
Hola a todos!
With many people in Europe enjoying holidays the first part of this week, we’re going to go ahead and cancel the idpy developers call tomorrow, May 4. That said, you are welcome to join the informal call I’m having at 16:00 UTC on the changes happening in browsers that impact SSO and federation. I’ve mentioned this on the Slack channel; if you would like to be added to the invite (and haven’t told me that already) drop me a note and I’ll add you.
It is not going to be recorded - did I mention it’s very informal? - but there are slides I’m happy to share.
Thanks! Heather
Attendees:
Johan, Giuseppe, Ivan, Heather, John P, Hannah
Regrets:
Scott, Roland
Notes
1 - GitHub review
a. OIDC - https://github.com/IdentityPython (JWTConnect-Python-OidcRP, JWTConnect-Python-CryptoJWT, etc)
Ivan is considering restructuring how OIDC is used in Satosa, breaking them up from the front end into microservices. Ivan will make a prototype to test out the idea. This is not high on the priority list.
Johan is looking at the next iteration of the OAuth spec (https://oauth.xyz/) Will talk in the future about how that might impact our project.
b. Satosa - https://github.com/IdentityPython/SATOSA
Preparing a bigger release, including many local commits (mostly changes merged into eduTEAMS). Also
• https://github.com/IdentityPython/SATOSA/pull/363 - cookie properties
• https://github.com/IdentityPython/SATOSA/pull/365 - http headers
• https://github.com/IdentityPython/SATOSA/pull/366 - IdP hinting
Expecting to get this out this week.
c. pySAML2 - https://github.com/IdentityPython/pysaml2
Preparing a release for pySAML2. Has merged:
• https://github.com/IdentityPython/pysaml2/pull/778
• also some local commits
Expecting to get this out this week.
After release, will focus on encryption and signing.
d. pyFF - https://github.com/IdentityPython/pyFF
No update
e. Other info
Current priority list for Ivan:
• Refactoring core of pySAML2
• Handling of friendly names
• Changing the configuration to allow custom encryption, decryption, and signing algorithms
• Will add a priority label to current open issues
Heather to add djangosaml2 to the list of projects we check in on during these calls
2 - Discussion
a. Browser interactions and federated identity
Things that are absolutely going to break:
• Global logout in SAML, OIDC front-channel logout, token refresh via iFrame in OIDC
• There are currently no mitigations available; figuring those out is under discussion.
Useful reading material:
• https://github.com/WICG/WebID/blob/main/README.md
• https://github.com/WICG/WebID/blob/main/cookies.md
• https://github.com/IDBrowserUseCases/docs/issues
There will be a workshop, held under the auspices of the W3C's WICG on May 25 & 26 from 10am-1pm US Pacific. This will be free, but you must join the WICG (also free) so we have the necessary IPR coverage. https://www.w3.org/community/wicg/
Thanks! Heather
