[Openid-specs-ab] RP Test

Torsten Lodderstedt torsten at lodderstedt.net
Fri Feb 13 14:16:24 UTC 2015


Hi Mike,

RFC 6749 requires TLS on the client's redirect URI in cases where OAuth is used for identity providing.

"Therefore, if the client relies on
the authorization code for its own resource owner authentication, the client redirection endpoint MUST require the use of TLS."

kind regards,
Torsten.



> Am 11.02.2015 um 03:50 schrieb Mike Jones <Michael.Jones at microsoft.com>:
> 
> Nat, I agree that those tests should be made optional for Basic.  The signature tests are still required for Implicit and Hybrid.
>  
> As for mandating TLS, we’re mandating that the OP endpoints always use TLS.  However for the code flow, the RP endpoint is allowed to not use TLS (provided the OP allows this, which it isn’t required to do).
>  
> Roland – I synced your RPtest spreadsheet with the RP tab in the Conformance Tests spreadsheet a while back.
>  
>                                                             -- Mike
>  
> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
> Sent: Monday, February 09, 2015 7:09 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] RP Test
>  
> Hi. 
>  
> I suppose we should either drop or relax the following. They are not required in Basic. 
>  
> rp-idt-kid-absent
> rp-idt-kid
> rp-alg-rs256
> rp-alg-none
>  
> Also, I am wondering if the following is accurately reflecting the standard. 
>  
> "Uses https for all endpoints unless only using code flow" 
> (It has no identifier assigned to it.)
>  
> Section 3.1.2 states: 
> Communication with the Authorization Endpoint MUST utilize TLS. See Section 16.17 for  more information on using TLS.
>  
> Section 3.1.3 states: 
> Communication with the Token Endpoint MUST utilize TLS. See Section 16.17 for more information on using TLS.
>  
> Section 5.3 states: 
> Communication with the UserInfo Endpoint MUST utilize TLS. See Section 16.17 for more information on using TLS.
>  
> Looks like we are mandating to use TLS regardless of the flow. 
>  
>  
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150213/8d405fac/attachment.html>


More information about the Openid-specs-ab mailing list