[Openid-specs-ab] RP Test

Mike Jones Michael.Jones at microsoft.com
Wed Feb 11 02:50:37 UTC 2015


Nat, I agree that those tests should be made optional for Basic.  The signature tests are still required for Implicit and Hybrid.

As for mandating TLS, we’re mandating that the OP endpoints always use TLS.  However for the code flow, the RP endpoint is allowed to not use TLS (provided the OP allows this, which it isn’t required to do).

Roland – I synced your RPtest spreadsheet with the RP tab in the Conformance Tests spreadsheet a while back.

                                                            -- Mike

From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
Sent: Monday, February 09, 2015 7:09 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] RP Test

Hi.

I suppose we should either drop or relax the following. They are not required in Basic.

rp-idt-kid-absent
rp-idt-kid
rp-alg-rs256
rp-alg-none

Also, I am wondering if the following is accurately reflecting the standard.

"Uses https for all endpoints unless only using code flow"
(It has no identifier assigned to it.)

Section 3.1.2 states:
Communication with the Authorization Endpoint MUST utilize TLS. See Section 16.17<http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements> for more information on using TLS.

Section 3.1.3 states:
Communication with the Token Endpoint MUST utilize TLS. See Section 16.17<http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements> for more information on using TLS.

Section 5.3 states:
Communication with the UserInfo Endpoint MUST utilize TLS. See Section 16.17<http://openid.net/specs/openid-connect-core-1_0.html#TLSRequirements> for more information on using TLS.

Looks like we are mandating to use TLS regardless of the flow.


--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150211/3e49b75b/attachment.html>


More information about the Openid-specs-ab mailing list