[OpenID] openid server conformance testing or 'black box' unit tests?
johnny at sxip.com
Sat Mar 31 02:48:29 UTC 2007
I tried using the URL above to test our sxipper.com server, and got
association failure when I use HTTPS identifiers.
Looking closer at what happens it seems that when an HTTPS identifier
is presented the test code chooses not to do Diffie-Hellman sessions
(which makes sense), however:
- the HTML display says that it's attempting a DH-SHA1 association
- the openid.session_type param is missing from the association
request (if I'm reading the specs right, it's not optional in either
OpenID 1.x or 2.0)
- when sxipper.com replies with openid.session_type= [blank], the
test page says
Session type mismatch. Expected None, got ''
I'm not sure if the intent of the "Default: blank" session type was
intended to also mean optional (like is the case with the dh_
params). All the RPs I've tested against seem to use DH sessions, so
I'm not sure what the best way to deal with this.
However, I think the test script / page should accept a blank value
for the session param.
More information about the general