Notes: idpy developers call 26 September 2023 - Idpy-discuss

27 Sep 2023

      *Idpy meeting 26 September 2023*
Attendees: Ivan, Johan, Matthew, Hannah, Shayna

0 - Agenda bash

1 - Project review

   a. General -

   - Kushal Das - new to idpy - will initialyl focus on configurations

   b. OIDC libraries - https://github.com/IdentityPython (idpy-oidc,
JWTConnect-Python-CryptoJWT, etc)

   - Matthew is deploying satosa-oidcop. What are the plans for integrating
   this with a new release of SATOSA? The old oidc-op does not work out of the
   box with SATOSA 8.4 and the current version pyop. Since this is kind of a
   breaking change, his recommendation is to go ahead and make the jump to the
   new satosa-oidcop. Enterprise deployments don't work with old version of
   oidc-op since pymongo has moved on. Matthew has concerns over the docker
   container - it should be release quality for enterprise users. He would be
   happy to bake satosa-oidcop into the next version of the container. Or
   should he stay in lock step with SATOSA releases?
   - Ivan says they can make changes to make pyop work and release. Will
      leave it in since some people are using it.
      - The plan is to keep everything and allow people to use frontends by
      including them and configuring them on the deployment side.
      - the plan is not to include satosa-oidcop in the SATOSA repo. It has
      its own repo with its own lifecycle and dependencies. They will
keep things
      aligned, though, since people will be using it and will report
if something
      breaks.
      - satosa-oidcop could be brought into idpy but it is up to Giuseppe.
      - There is another frontend that should have been released already by
      GÉANT but Christos was at TechEx and has had some obstacles. That would
      also be a separate repository with its own release schedule.
      - Ivan says it is ok to incorporate multiple frontends into the
      container and allow the user to configure whichever ones they want.
      - SATOSA is intended to be a building block - the docker image is the
      integrator so that you can actually use the product and bring it
up. SATOSA
      is the core.
      - Roland's PR to separate SAML parts from SATOSA is evidence of this
      separation. We shouldn't have to build with pysaml2 in SATOSA if
you don't
      need it. You could even use another SAML library. SATOSA is a
plugin system
      that gives you a core internal abstraction of information for
      authentication and authorization which is then translated to
multiple other
      protocols, and you can use whatever libraries you want to use.
      - Matthew still has a PR on pyop.
   - Ivan has questions on how to use idpy-oidc to configure a client that
   wants to use the client secret jwt authentication method - will post to see
   if Giuseppe or Roland can answer

c. Satosa - https://github.com/IdentityPython/SATOSA

   - Matthew is sending slides to the mailing list for single logout that
   were presented at TechEx. Meeting will be 10/4.
   http://internet2.edu/wp-content/uploads/2023/09/20230920-sebuliba-satosa-sl…
   .
   - A new SATOSA release is imminent. There are few more PRs to merge:
   - - https://github.com/IdentityPython/SATOSA/pull/427 - SATOSA maps
      between protocols using configuration that lists what should happen with
      particular profiles. Apple does things differently - it returns
      attributes/claims that are dictionaries with their own keys and values.
      This causes conflicts when trying to look up mappings. The choice is to
      either make the code more flexible, not throw exceptions and just ignore
      those keys/mappings, or separate Apple to it own profile, which
would make
      things things more verbose but also more explicit. Since things are only
      slightly different with Apple signing, Ivan's first instinct is to merge
      with the oidc backend and make code more flexible. But if Apple changes
      more things (which is likely) , we should probably be treating it as
      something different.
      - - https://github.com/IdentityPython/SATOSA/pull/419- has to do with
      how we map some concepts between saml and oidc. It is mapping saml's
      is_passive to another concept within oidc, which is the ability
to request
      offline access to the user's information even when the user is
not present,
      which oidc recommends using a prompt for the user to approve. This MR is
      about making is_passive a hint to disable the prompt. (prompt = no). Oidc
      spec allows this but strongly recommends using the prompt. We should make
      this something that is explicitly configured - available but disabled by
      default. Needs some work - Code changes and documenting the
option and its
      consequences clearly.
      - https://github.com/IdentityPython/SATOSA/pull/441 - SATOSA yaml
      parser needs to be extended. Already merged.
      - https://github.com/IdentityPython/SATOSA/pull/442 - Roland's work.
      There is some work to be done with correctly configuring the
dependencies,
      and adding error messages when SAML is not there - alert user
that if they
      want to use saml, they need to take special action now. This is
a breaking
      change so will probably not be merged right now, it will be in its own
      release - with info how to get previously expected behavior.
      - https://github.com/IdentityPython/SATOSA/pull/435 - still thinking
      on this one - once it is done, people will expand and use the
typing - may
      bring in Kushal on this one. Open to suggestions.

d. pySAML2 - https://github.com/IdentityPython/pysaml2

   - Not much work done recently - minor updates on dependencies - merged a
   PR about clearing up log messages.
   - https://github.com/IdentityPython/pysaml2/issues/917 - issue with
   importlib-sources. -Python support provided the ability to manage
   files/folders (resources) - you could ask the package for info on resource
   and didn't need to know the specific path. In the next release they
   deprecated some functions that were being used. Now things are breaking for
   all Python versions - need to figure out how to do things in a different
   way.
   - Matthew E wrote something similar for a personal project- uses
      packageutil and importlib. Matthew will send to Ivan and Ivan will take a
      look to see if it's helpful.
      - Python packages are zip files - there are ways to install without
      unzipping. So sometimes you are not looking at actual files and
      directories, but instead you are looking at a virtual unzipped image in
      memory. At that point the path is a virtual thing - a memory
pointer. Ivan
      needs to figure out how to reach into these virtual places using the
      methods that are left.
      - Ivan will look into open issues and then prepare a release for
   pysaml2

e. Any other project (pyFF, djangosaml2, pyMDOC-CBOR, etc)

   - a new release of pyXMLSecurity came out August 24 - semantic
   versioning was added. One PR had to do with self signed or CA certificates,
   whether the signature is correct. pysaml2 backend can also use
   pyxmlsecurity - Ivan needs to check that it still works.
   - waiting for new release for pyff
   - FED CM - there are recent developments in the w3c privacy group and
   the federated identity community group (previously the federated credential
   manager community group) - chrome has a new API they are proposing called
   FedCM - to work around google identity access management library that
   relies on third party cookies. They want to kill link decorations as well -
   they'll break saml, oauth2, oidc, etc. When an IdP needs to do something,
   or a RP needs to send a user to an IdP, FedCM can instruct the browser
   using this javascript API to get consent from the user to allow the link
   decoration and third party cookies before going to the next "hop". For
   authentication intermediaries, there are a lot of implications with this.
   People involved in talks about this: Zacharias Törnblom (Sunet), Philip
   Smart at Jisc (has a demo) , Chris Phillips (Canarie), Leif, Albert Wu,
   Nicole Roy, Scott Cantor. See:
   https://wiki.refeds.org/display/GROUPS/Browser+Changes+and+Federation
   - This will be a particular problem for Research Collaborations using
      the AARC blueprint
      - These escalation prompts may hide discovery and drive idp toward
      Google
      - Google will turn this on progressively, possibly starting in
      November.
      - Invite Judith Bush to talk ?
      - questions on whether this will actually move forward, who will
      follow suit- Chrome and Google is what we're talking about here
-Mozilla &
      Microsoft are more into those discussions. Apple/Safari seems to be doing
      its own thing. Vittorio Bertocci was also in the discussion but
has dropped
      due to illness. The companies he was involved in, Okta and Auth0 , are
      against the changes - also probably the banks . Google wants to
enable but
      keeps postponing - saying 2024.

2  - AOB

   - Next meeting 10 October 2023

Thanks,
Shayna