Attendees: Johan, Shayna, Scott, Ivan, Roland, Matthew E.
0 - Agenda bash
1 - Project review
a. General -
b. OIDC libraries - https://github.com/IdentityPython (idpy-oidc,
JWTConnect-Python-CryptoJWT, etc) -
- Roland updated fedservice library to work again after some changes to
idpyoidc
- Roland is also working on openid4v (OID4VCI and OID4VP) package
testbed or example that will contain the normal components in a digital
wallet ecosystem.
- https://github.com/rohe/openid4v
- This is a moving target with specs changing from day to day
- satosa_oidcop / idpy-oidc issue on slack - about being threadsafe,
secrets not shared between threads. Keys were created on startup and not
saved to mongoDb. The fix is to make the secrets static with example
configuration.
https://github.com/UniversitaDellaCalabria/SATOSA-oidcop/pull/47
- identity assurance support for idpy-oidc:
https://github.com/IdentityPython/idpy-oidc/pull/83
- also fixes some tests.
- Waiting for Kostis to look at it. Giuseppe has approved.
c. Satosa - https://github.com/IdentityPython/SATOSA
- preparing a new release - with new OIDC backend - requirement to pull
in idpy-oidc
- Next step is to work on Roland's MR (
https://github.com/IdentityPython/SATOSA/pull/442) removing SAML
bits, replacing encryption and signing with cryptojwt. Then
crypto will be
the dependency and pysaml2 will not be a dependency. That will be a
separate, major release since it changes the default
dependencies. Include
messages so that when someone tries to import a module / use a
frontend or
backend without pulling in dependencies, they will get an error message.
- after this, consolidate SAML logout and OIDC logout
- Should think about introducing server side storage
- sql? One problem is manual cleanup required. But it is more clearly
defined.
- More specific to sessions - redis? Cleanup is handled nicely but
licensing may cause problems for some. It is "almost open
source". If it is
used in a commercial product under certain conditions, then
there is an
issue.
- Matthew prefers pure opensource solutions. Sql database helps
with clearly defined schema. Non-sql is hard to figure out.
- He has struggled with oidc figuring out how to do static
registration.
- Need to define the interface and define types - class that
defines how payload looks.
- There is also a documentation issue - someone who is
knowledgeable but new can't figure out how to do some
simple things. As
new things are developed and decisions made, Matthew will
help with the
documentation.
- Bottom line -the data model is missing.
- https://github.com/IdentityPython/SATOSA/issues/445
- passed on to Ali - concerns existing implementation of pyop and
some work that Ali had done
- Not sure if they will continue to do an work on pyop.
- There are other openMRs that need follow-up.
- Typing from Fredrik and Johan is still waiting - will get to it
after next release.
d. pySAML2 - https://github.com/IdentityPython/pysaml2
- Fixing MR/PR issues regarding changes in the modules and dependencies
used. Things like the python version changes, modules change
behavior, etc.
- https://github.com/IdentityPython/pysaml2/issues/917
- https://github.com/IdentityPython/pysaml2/issues/904
- https://github.com/IdentityPython/pysaml2/issues/934
- https://github.com/IdentityPython/pysaml2/issues/921
- user gets a response from idp - with attributes - one defines type
of value of attribute - within the type it mentions a prefix.
Prefix is
defined with an xml namespace. This is called QName
-awareness. The built
in xml parser removes the namespace.
- xsi:type - python parser is not QName-aware
- xpath - c implementation that python uses. Smaller than lxml
but limited.
- this can be fixed by using lxml, xml library with c-bindings,
but it also adds other issues and complexity. Has to be configured
correctly. To make this a compatible change is not easy.
- there is also a schema checker that may be of help. Ivan will
check with the developer.
- Ivan could make lxml an optional dependency.
- Ivan has done half the work but he is concerned about whether he
should invest more time.
- A fundamental issue is that python garbage collection does not
work well with C layer memory management. Deployers using
SATOSA with that
library would need to restart their servers frequently. For
example pyff ,
which uses lxml, needs to be restarted hourly in a production
Scott has.
- https://github.com/IdentityPython/pysaml2/pull/924
- need to get to this one - to configure the encryption algorithms.
Same should be done for signing algorithms.
- Issues around how temporary files are deleted - mostly affecting
Windows users. Proposal on how to make it independent of
platform. Usually
these temp files are certificates or templated xml that will be signed.
Ideally we could work in memory for these types of things.
e. Any other project (pyFF, djangosaml2, pyMDOC-CBOR, etc)
- Leif made two new pyff releases - 2.1.0 and 2.1.1. We should get him
to summarize the changes for us.
- RDCT/SCG is making a standalone seamless access deployment, using
pyff, thiss-mdq and thiss.js . Once in production it will be
packaged up in
a reusable way for others to deploy. Arlen Johnson is working on some of
the packaging and Hannah S will work on an all inclusive docker compose
project. Generalizing to contribute to docker official images library or
something similar.
2 - AOB
- Next meeting is 21 November 2023. There is a wallet meeting that day
but it is scheduled to be done by the time of this meeting.
*Idpy meeting 10 October 2023*
Attendees: Johan, Matthew, Hannah, Shayna
0 - Agenda bash
1 - Project review
a. General -
b. OIDC libraries - https://github.com/IdentityPython (idpy-oidc,
JWTConnect-Python-CryptoJWT, etc)
c. Satosa - https://github.com/IdentityPython/SATOSA
- Everyone who had attended the SATOSA PR-431 SLO review felt it went
well. Matthew E. was encouraged to see that limitations to pysaml2 were
acknowledged. Shayna will reach out to Ali H. for updates on when he
has/will push his changes so he and Hannah S. can collaborate on a vision
for single logout.
- Matthew E. is working on SATOSA container - he knows the current one
is out of date. Ivan merged some changes on pyop and Matthew has a better
understanding of the newer oidc libraries, so he wants to come up with a
working test config for oidc and include it into the sample configuration
of the container. He is not sure where to find a test OP.
d. pySAML2 - https://github.com/IdentityPython/pysaml2
e. Any other project (pyFF, djangosaml2, pyMDOC-CBOR, etc)
2 - AOB
- Next meeting is 24 October 2023.
On 2023-10-05 15:24, Heather Flanagan wrote:
> I'm a little uncomfortable accepting a project sight-unseen. Are you
> willing to make sure it conforms to idpy's code guidelines in a
> reasonable amount of time if/when it's accepted under the project umbrella?
>
Absolutely. We may just publish it under BSD-2 under the wwwallet.org
organization on github and then talk about its future!
Cheers Leif
A clarification: there is very little python today in the project. We
are working on this but I want to be clear that this is a borderline for
idpy because of this.
Cheers Leif
On 2023-10-04 23:23, Giuseppe De Marco wrote:
> Very interesting and useful!
>
> Is there any GitHub/bitbucket/gitlab public repository to have a quick
> dive in its sources?
We would like to hold off on publishing the source until we know where
it should land...
>
> I assume that It represents an entire wallet solution, composed by
> wallet provider and wallet app, and that the wallet app Is a web based
> app, not intender for any appstore
Correct.
>
> Congrats, It looks good
>
>
>
> Il mer 4 ott 2023, 22:09 Leif Johansson <leifj(a)sunet.se
> <mailto:leifj@sunet.se>> ha scritto:
>
>
> Hello
>
> Today I represent the "unnamed FIDO wallet" project (aka
> wwwallet.org <http://wwwallet.org>).
> This is a project started by GUNet, Sunet and yubico with the goal of
> building a FIDO-based wallet based on OpenID4vc and vp profiles and
> sd-jwt credentials.
>
> We would like to propose this project for inclusion in idpy.
>
> The project is in an early phase but we are confident that it has the
> potential to become a staple of the wallet ecosystem because of its
> simple design. The organizations are currently funding the work within
> the framework of the EU digital wallet LSPs
>
> The backend of the project is python and pretty clearly in scope of the
> idpy family of projects (beeing all about identity) but since there is
> web involved there are other technologies present such as html and js.
> We believe python-based WASM could play a role in the project in the
> future. Our goals is to make a scalable fully secure "cloud" wallet
> with
> support for multiple credential and registry technologies.
>
> The project is in its infancy but needs an organizational home. Funding
> is not a problem for the next few years at least at which point we hope
> interest in a web based FIDO-wallet will make this a self-sustaining
> part of the idpy family. The project does not have a separate webpage
> yet and we are hoping for a decision in idpy before we bring the first
> public version of the code into the idpy org on github. We plan to
> publish under a BSD-2 license.
>
> We are already well integrated into the idpy family of projects and
> plan
> to use satosa as our primary issuer/verifier implementation for testing
> and development.
>
> A public demo is available at demo.wwwallet.org
> <http://demo.wwwallet.org>
>
> Best R
> Leif
> _______________________________________________
> Idpy-discuss mailing list -- idpy-discuss(a)lists.sunet.se
> <mailto:idpy-discuss@lists.sunet.se>
> To unsubscribe send an email to idpy-discuss-leave(a)lists.sunet.se
> <mailto:idpy-discuss-leave@lists.sunet.se>
>
>
> ------------------------------------------------------------------------------------------------------------------
> Il banner è generato automaticamente dal servizio di posta elettronica
> dell'Università della Calabria
> https://www.unical.it/5x1000 <https://www.unical.it/5x1000>
Hello
Today I represent the "unnamed FIDO wallet" project (aka wwwallet.org)
This is a project started by GUNet, Sunet and yubico with the goal of
building a FIDO-based wallet based on OpenID4vc and vp profiles and
sd-jwt credentials.
We would like to propose this project for inclusion in idpy.
The project is in an early phase but we are confident that it has the
potential to become a staple of the wallet ecosystem because of its
simple design. The organizations are currently funding the work within
the framework of the EU digital wallet LSPs
The backend of the project is python and pretty clearly in scope of the
idpy family of projects (beeing all about identity) but since there is
web involved there are other technologies present such as html and js.
We believe python-based WASM could play a role in the project in the
future. Our goals is to make a scalable fully secure "cloud" wallet with
support for multiple credential and registry technologies.
The project is in its infancy but needs an organizational home. Funding
is not a problem for the next few years at least at which point we hope
interest in a web based FIDO-wallet will make this a self-sustaining
part of the idpy family. The project does not have a separate webpage
yet and we are hoping for a decision in idpy before we bring the first
public version of the code into the idpy org on github. We plan to
publish under a BSD-2 license.
We are already well integrated into the idpy family of projects and plan
to use satosa as our primary issuer/verifier implementation for testing
and development.
A public demo is available at demo.wwwallet.org
Best R
Leif
