Notes: IdPy developers meeting, 27 January 2025 - Idpy-discuss

30 Jan 2025

      *Idpy meeting 27 January 2025*
Attendees: Johan L, Shayna, Ivan, Mikael, Matthew, Enrique, Hannah
0 - Agenda bash
1 - Project review
a. General  -

   - Documentation pain points run-through / mock saml workflow / mock oidc
      workflow
      - Matthew has a github repo that mocks up a SAML authentication flow
         using pytest. Pysaml is needed for a client to write more
than one identity
         provider, and a service provider to test those identity providers -
         https://github.com/xenophonf/mock-saml-flow
         - Has a configuration for IdP and SP from his Satosa
         configuration.
         - There is some documentation for the configuration, but one
         challenge is the configuration is entirely a mapping. There's
no typing
         hints, things aren't discoverable in his development environment.
         - Doesn't want to get into Flask, just wants to concentrate on
         using what paysaml2 calls a Server and a Client. However, there is no
         documentation on the classes and methods to use.
         - No API documentation
         - the simple examples included in code base just tell you how to
         run it; not how to use the code
         - one option is to go to the example code and try to figure out
         how to develop an SP or IdP, but reading the source code is
really hard.
         - what is repoze?
            - it's not clear where to start. First guess is to start in idp_
            uwsgi.py, skimming for things like url routes (where do
            authentication requests come in/go out?). Only able to
find a SSO class.
            How is this invoked?
            - Conclusion: it takes too long to figure out how to find the
            basics of what you need to know.
            - Another option - test suite. Not successful here either.
         - Next option - reading through Satosa code. Found Server class.
         There are no type annotations, no document string for the
method to create.
         There is some document strings for the other functions, some
params, some
         information, but not enough to know what to use when. Found the
         create_authn_response() method but there is no information on
what should
         be provided for a good saml response or what structure it
should follow -
         the only way to get this information is trial and error.
         - idpy-oidc documentation looked more promising
         - Encouraged by newer style for the documentation page.
            - Wanted to write a small RP - looked at client documentation
            - There is a workflow, describing the process and a high level
            overview of how oidc RPs work. Very helpful.
            - API documentation is lacking. No method signatures. For
            example, is issuer_id the only argument the begin() method
takes? But the
            Tier1 API design is good.
            - No examples on how to instantiate the IdP
            - Left reading through the source code again, trying to intuit
            from example code and test code how to do it.
            - When looking to write code to have a test OP (to test RP) -
            Server code - the documentation only tells you how the
configuration
            directives work. No API calls, no example code, no examples of
            instantiation.
            - SQLAlchemy ORM is an example of great documentation on how to
         get going - type annotations, explaining what each parameter
is for, etc.
         - For mock saml - took 2 months to write 179 lines of code
         - Kushal has tried to document some examples -
         https://kushaldas.in/learningsaml - unfortunately this starts from
         a place beyond where Matthew's knowledge is
         - Ivan is the person Matthew and Hannah will need to talk to to
         get their project going. First focus on SAML backend for Service, SAML
         Frontend for Idp. This won't give the complete picture but
it's a start.
         - For Service:

https://github.com/IdentityPython/SATOSA/blob/master/src/satosa/backends/sa…,
            especially authn_request and authn_response
            - For an IDP:

https://github.com/IdentityPython/SATOSA/blob/master/src/satosa/frontends/s…,
            esp handle_authn_request and _handle_authn_response
            - Ivan acknowledges there is not developer documentation
         - initial step to address docstrings
            - Need to define public API methods and documentation - this
            would 90-95% of what you can do with SAML
            - The examples are old, and sometimes create confusion (for
            example, the Server in pysaml2 is an IdP, the Server in
examples is a wsgi
            server, the Server in Satosa is a proxy server).
            - A referenced example against a SAML trace would be very
         helpful

b. OIDC libraries - https://github.com/IdentityPython (idpy-oidc,
JWTConnect-Python-CryptoJWT, etc)
c. Satosa - https://github.com/IdentityPython/SATOSA

   - LDAP plugin release coming
      - Matthew will have a new SATOSA Docker image out new week

d. pySAML2 - https://github.com/IdentityPython/pysaml2

   - release coming to address xml enc changes and introducing types around
      entity categories from Frederik and Johan.

e. Any other project (pyFF, djangosaml2, pyMDOC-CBOR, etc)

   - Roland's code has been moved under Sunet - mostly related to openid
      federation and credential/wallet. Let's have a discussion whether some of
      these need to be moved under IdPy
      - SUNET/openid4v
         - SUNET/satosa-idpy
         - SUNET/satosa-openid4vci
         - SUNET/fedservice
         - SUNET/idpy-sdjwt

2  - AOB
3 - Action items

   - pull out questions Matthew raised one by one and document them
   - For example some classes were machine generated based on schema
      changes (Matthew suspected this) - perhaps we should add docstrings to
      explain how/when this was don