[OpenID] openid server conformance testing or 'black box' unit tests?

Johnny Bufu johnny at sxip.com
Sat Mar 31 02:48:29 UTC 2007

> http://www.openidenabled.com/resources/openid-test/diagnose-server/

I tried using the URL above to test our sxipper.com server, and got  
association failure when I use HTTPS identifiers.

Looking closer at what happens it seems that when an HTTPS identifier  
is presented the test code chooses not to do Diffie-Hellman sessions  
(which makes sense), however:

- the HTML display says that it's attempting a DH-SHA1 association

- the openid.session_type param is missing from the association  
request (if I'm reading the specs right, it's not optional in either  
OpenID 1.x or 2.0)

- when sxipper.com replies with openid.session_type= [blank], the  
test page says
	Session type mismatch. Expected None, got ''

I'm not sure if the intent of the "Default: blank" session type was  
intended to also mean optional (like is the case with the dh_  
params). All the RPs I've tested against seem to use DH sessions, so  
I'm not sure what the best way to deal with this.

However, I think the test script / page should accept a blank value  
for the session param.


More information about the general mailing list