Attendees: Johan Wassberg, Shayna, Ivan, Roland, Matthew E., Hannah
0 - Agenda bash
1 - Project review
a. General - Welcome to Johan Wassberg - working with SWAMID
b. OIDC libraries - https://github.com/IdentityPython (idpy-oidc,
JWTConnect-Python-CryptoJWT, etc)
- Roland has been working on a front end to SATOSA to be a credential
issuer for a digital wallet system - it is built and running!
- It has a number of endpoints - an authentication endpoint which can be
mapped to a number of backends, but also a credential
endpoint - to receive
a credential. Initially this used a SATOSA backend connected
to credential
constructor. This could be considered "twisting the arm" of
SATOSA , so
instead there is now an API with a built-in credential
constructor. Using
the API you could also call a service outside SATOSA for an
authenticated
user with an id token. The credential issuer uses a trust
pattern , which
is the OpenID federation. Roland says he should probably make
a OP frontend
without the credential issuer stuff in it , but with the
federation stuff
in it. If you want to test, you need a number of entities : SATOSA, a
wallet, and a federation with at least a trust anchor, wallet
provider and
a PID issuer (or some other credential issuer).
- Roland is writing documentation from the digital wallet point of view.
He wants to write it so that different audiences have their
own targeted
documentation; for example one section for IT architects or
CIOs, another
for deployers, another for developers who wish to extend the
capabilities.
- Discussion on how to register an OIDC RP with satosa-oidcop
- using *https://openidconnect.net/* <https://openidconnect.net/> (test
RP) and entering
*https://federation.scienceforum.sc/.well-known/openid-configuration*
<https://federation.scienceforum.sc/.well-known/openid-configuration>
for configuration, Matthew E receives "response type is not
registered"
errors.
- client needs to define property which indicates what response types
are allowed - by default it seems nothing is set. Matthew E
also reported
looking in database and saw no clients. May need to
statically register a
client - add an entry with Client id, client secret, client uri, and
probably some structure that defines response types that
client should be
using. May need to get Giuseppe involved. There doesn't seem to be an
example with the repo, and Matthew has looked through the
code and can't
seem to get it working correctly.
- Roland says there are a number of classes you can use to implement the
client database - it behaves like a dictionary. Roland could possibly
provide a configuration file that provides hints how to implement. For
instance, with the credential issuer frontend he didn't want to use
mongoDb, so he used a simple persistent layer with a
key-value database
behind it - implemented where the file name is the attribute
name, values
are json within the file. He can provide an example of this.
It would be
easy to add a client in this case - just drop a new file in a specific
directory, with a name that follows a convention and the
content as json
with the appropriate attributes (client id, client secret,
redirect uri)
c. Satosa - https://github.com/IdentityPython/SATOSA
- Many things are pending/need review and Ivan will look at them soon.
- New PRs from Johan:
- https://github.com/IdentityPython/SATOSA/pull/449 - current
implementation only generates parts of the metadata - doesn't
include all
backends/frontends
- https://github.com/IdentityPython/SATOSA/pull/450 - want to be able to
set a preferred backend when generating metadata where
multiple backends
are available - problematic because routing is based on which
endpoints the
request comes through. In other words: One of the proxies SUNET is
operating is set up such that there are multiple back ends
and these are
combined into one front end. There are multiple entity
descriptors with no
root. Also, the endpoints within the descriptors contain all
the backends.
It would be better to be able to select which endpoints of
which back end
are included in the metadata of the front end - a new option for a
preferred backend. Changes current behavior of the proxy, but
this problem
needs to be addressed. Ivan needs to experiment and recreate
this SUNET
environment. This opens up a new concept for SATOSA -
multi-tenancy. You
would be able to specify which back ends can talk to which
front ends -
multiple groups - where policies are applied. This is a
complex concept to
implement.
- https://github.com/IdentityPython/SATOSA/pull/451 - extend SATOSA
support paths beyond the root of the domain - Kristof created a new PR
after closing old one, with a clearer path on how to move forward
- https://github.com/IdentityPython/SATOSA/pull/438 - enriching data
structure of SATOSA with metadata information about oidc services. Adds
some things using conventions from oidc, but it is missing some useful
information that should be there - it's not taking into account how those
things are named/treated in the SAML world. You need to know
first whether
this is a SAML service or OIDC service to determine how to represent
things. Ivan will write a review. Hoping to get Pavel to do some of the
work.
- https://github.com/IdentityPython/SATOSA/pull/419 - involves
IsPassive/ForceAuthn in SAML, prompt in OIDC. Prompt is usually mandatory
when offline access is requested. Pavel wants to proxy this
concept through
ForceAuthn and IsPassive - if set, then prompt is skipped; or
reverse - if
prompt is no, IsPassive is set in SAML request to IdP. And when
ForceAuthn
is there - Internally store the association , then set with
ForceAuthn. The
work to make it configurable is done. Needs review to make sure it done
correctly. This is important for legal reasons - prompt is used
as consent.
Want to make sure that the new capability is available, but that the
defaults don't interfere with what is already in existence.
- https://github.com/IdentityPython/SATOSA/pull/452 - moving away from
SHA1 , removed from xmlsec. Needs to be removed from places it is used in
SATOSA as default. The PR allows new parameters to specify which
algorithms
to use. Needs some review and guidance, but should go in soon. Ivan also
needs to see what xmlsec is doing.
d. pySAML2 - https://github.com/IdentityPython/pysaml2
- Not much activity, but there are two issues that are annoying.
- https://github.com/IdentityPython/pysaml2/issues/944 - problems with
Windows temporary files . There is a template that acts as a
configuration
as to how a request or response should be signed. A temporary file is
written to (the temp file is an actual class within Python
ecosystem / core
Python libraries). Then xmlsec reads from this file to know
what to do.
Once a temporary file (that was created through the core
Python library) is
opened, Windows won't let other processes open the file and
read it. Python
should be addressing this rather than the project, but it's
not happening.
Ivan has a workaround that was never pushed - taking
advantage of Python
garbagecollector. Ivan will push and have the user test.
- https://github.com/IdentityPython/pysaml2/issues/946 - race condition.
Pysaml2 keeps state internally - in either an in-memory
dictionary or a
shelve file (Python-related) - a binary file that can be shared across
processes. User is using the shelve module for state in a
multi-processing
service. Processes are trying to access the file at the same time. One
process errors out and then the shelve module is corrupted.
Solution would
be to expose the state and manage it through a database or
some other way.
An interface is needed for this state, with proper adapters
to be able to
write or read from the storage back ends. Then using the
shelve module or
the in-memory dictionary (mySQL, Rides. etc) is a
configurable option. This
PR needs work to build that interface, carefully. Ivan will write a
response to this, but there are other priorities right now.
- There are some other pending PRs.
- There are some commits on the master branch and they will be creating
a new release.
e. Any other project (pyFF, djangosaml2, pyMDOC-CBOR, etc)
- Ivan knows there was discussion on djangosaml2 - adding support for
the content security policy headers. Not sure if there was a new release.
- pyff - there was a patch release previously.
- no activity on pyMDOC-CBOR - not clear if CBOR will be used as one of
the formats.
2 - AOB
- Matthew E has been using github actions -for a personal project, he
has a working github actions workflow that does linting and formatting
checks (purely style and syntax), testing (using pytest), a semantic
release build, and PyPI /github packages publishing.
- not sure how to do branch protection rules - Matthew will get this
figured out
- He will come back with some proposed configs ( aiming for 2 weeks)
- can use github oidc connector to authorize PyPI to get credentials
- doesn't need PyPI login. Ivan would just need to authorize the git
repositories, github action workflows and environment within the repo
- idpy not using travis CI anymore - it wasn't working
- Matthew is willing to offer his work in this area - can set up
something using TestPyPI. These are his pre-commit and ci yml files.
- https://github.com/irtnog/lethbridge/blob/main/.pre-commit-config.yaml
-
https://github.com/irtnog/lethbridge/blob/main/.github/workflows/ci.yml
- pysaml2 - Ivan says there are 2 PRs to introduce using githubactions
and pre-commit configuration. He has not had time to look into them. To run
tests on pysaml2, run "poetry pytest" and they also use tox.
- https://github.com/IdentityPython/pysaml2/pull/816
- https://github.com/IdentityPython/pysaml2/pull/882
- SATOSA - Ivan thinks we should do the same here. Decide on what the
configuration should look like. SATOSA also uses pytest with the options
you want. Has not been converted to use poetry. SATOSA would need more work
- linting etc has not been applied.
- pysaml2 had all this stuff incorporated in one big commit.
Sorry, I left the wrong date at the top of the agenda for the idpy
developers meeting. It should say "Tuesday, 9 January 2024, 14:00 UTC"
Thank you,
Shayna Atkinson
SCG Consulting Group
Dear all,
I’m pleased to announce a long overdue update to the Docker Official
Image for SATOSA, which includes several significant changes:
- SATOSA 8.4
- Python 3.12
- Debian 12 “bookworm”
- Alpine Linux 3.19
The updated container image is now available from Docker Hub. For more
information, see https://hub.docker.com/_/satosa.
Happy holidays!
Matthew
--
"The reason that ed is the standard editor is to remind you that
things could be worse, and once were." -- Tim Lavoie in comp.lang.lisp
*Idpy meeting 19 December 2023*
Attendees: Shayna, Ivan, Roland, Matthew E.
0 - Agenda bash
1 - Project review
a. General -
b. OIDC libraries - https://github.com/IdentityPython (idpy-oidc,
JWTConnect-Python-CryptoJWT, etc)
- idpyoidc 3.0.0 released
- openid federation implementation - Roland has openid4v (wallets) -
assumed openidconnect at base but it is oauth.
- Reminder that client registration information is not
well-documented.
- SATOSA container generates xml so that a newbie can get it going;
intent is to have a docker compose project that can stand up an oidc
environment and showcases all different integrations
- Roland has SATOSA OP frontend that is sort of based on Giusppe's
work, but partly new. He has the federation support. Didn't want to be
dependent on MongoDb, has persistence layers with store/fetch. Ideally
there is a function to register an OP (independent of backend).
- Ivan acknowledges that registration process is not well
documented and assumes pre-existing knowledge. Also does not have good
examples. He has not really used the dynamic registration,
but has used
static registration with the database for client data. He has used
different authentication methods for the clients: basic auth or client
secret post. Beyond that things get strange. Basic use cases
are there and
some advanced ones, but some may be missing. The problem is
there is not
just one level of documentation - are you a user, a
developer? Roland has
worked hard on base documentation for idpyoidc at
https://idpy-oidc.readthedocs.io/ but it needs to be updated.
This is for the library. The front end is one layer above and
we could use
documentation for that as well.
- openid federation adds a whole different layer to this. Clients
no longer register, they just become members of the federation.
c. Satosa - https://github.com/IdentityPython/SATOSA
- Considering how to expose metadata in openid federation format
- Some work required before making a new release
- Need to pull in Roland's PR separating pyoidc and pysaml2 from core
- Looking at PR on plugin for getting session info from SAML
entities - but the project tries to keep plugins protocol
agnostic (this is
clearly SAML specific).
- This brings up: how do you map from oidc to SAML? Right now
claims and attributes are mapped; scopes are there but not
really reflected
in internal data. Acr claim and amz claim are also not
reflected in
internal data. Need a document on how to map between the
protocols and
derive the internal data. This is needed if we want to
extend the core with
more protocols.
- jwt token from saml transaction (there is a spec)
d. pySAML2 - https://github.com/IdentityPython/pysaml2
e. Any other project (pyFF, djangosaml2, pyMDOC-CBOR, etc)
- Matthew working on getting SeamlessAccess pieces into one
release-ready container. If you have feet in both oidc and SAML worlds,
how do you take advantage of scalable federations in both with a
consistent
user experience? He's been coming up with ideas mostly surrounding
mirroring in SATOSA, to expose oidc as SAML. It is tricky, treating the
oidc entities the same as saml identities.
- Discussion of how to handle this; pictures attached.
2 - AOB
- Next meeting 9 January and then every 2 weeks after that
Im looking on how to verify the in_response_to id of the authentication
response.
Most examples use allow_unsolicited to ignore this so it is a bit hard to
find good sources.
Many of those examples also reference to a "built-in cache for authn
request ids in pysaml2", but I can't find any usage of that anywhere.
I have tried to do this myself by just saving the ids I send to a
dictionary and then give them as a parameter
to parse_authn_request_response.
My question is this. How should this really be done? Is there a built in
cache or what is the recommended way of verifying the in_response_to ids?
Thank you
--
Stefan
Attendees: Johan, Shayna, Matthew, Hannah
Due to the absence of the key developers, we talked about Matthew's work in
python release engineering with gihub actions, and how we can potentially
improve the build process / user experience in deploying docker
container-based tools (in many areas, not just the idpy world).
Next meeting is 5 December 2023.
