[Openid-specs-ab] Updated conformance profiles spreadsheet

Torsten Lodderstedt torsten at lodderstedt.net
Sun Feb 15 16:00:03 UTC 2015

Hi Mike,

Am 09.02.2015 um 20:57 schrieb Mike Jones:
> Roland and I have talked about refresh token tests, but there’s a few 
> problems with them.  First, there’s no way that must be supported by 
> OPs to request refresh tokens.  Support for offline_access is optional 
> and there’s no syntax for requesting online access to a refresh 
> token.  So if refresh token tests were added for the functionality in 
> http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens, at 
> most, they could verify that conditions are met **if** a refresh token 
> was present.
> Likewise, there’s no requirement that an ID Token be issued from a 
> refresh request.  Therefore the requirements in section 12.1 
> http://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse 
> can only be verified **if** an ID Token was issued.

You are right. But your arguments hold true for several other features 
as well, which are at least cited in the current profiles document (e.g. 
claims parameter or request object).

> None of these behaviors are specified in the Basic implementer’s guide 
> in http://openid.net/specs/openid-connect-basic-1_0.html, and so are 
> beyond what we want to ask implementations conforming to the Basic 
> conformance profile to do.
> I agree that in the fullness of time we should add these tests for 
> implementations that do support refresh tokens and ID Tokens issued 
> from refresh requests.  But given that we don’t even have the RP tests 
> up yet, I think that for the first phase of the certification work, 
> we’re better off focusing on testing essential functionality first.

Good point. The question is what "essential functionality" is :-) In my 
personal opinion, refresh tokens in Connect make a big difference from 
SAML/OpenID 2.0 in supporting a great user experience for apps. They 
allow an app to re-login to a IDP without the need to spawn a browser 
with every start of the app (stay logged in). So we (DT) use it all over 
the place. Excluding them from interop tests means to risk interop issues.

That's why I think refresh tokens are essential. I would like to hear 
other WG member's opinion on this topic.

kind regards,

> -- Mike
> *From:*Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
> *Sent:* Sunday, February 08, 2015 9:43 AM
> *To:* Mike Jones
> *Cc:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Updated conformance profiles spreadsheet
> Hi Mike,
> I'm missing test cases verifying the standard compliance of an OP's 
> refresh token handling as specified in section 12 of the core spec. I 
> would suggest to add such tests, esp. with respect to the correct 
> handling of the openid scope values and the id token contents (iss, 
> sub, iat, auth_time, ...).
> best regards,
> Torsten.
> Am 06.02.2015 um 02:21 schrieb Mike Jones <Michael.Jones at microsoft.com 
> <mailto:Michael.Jones at microsoft.com>>:
>     The attached conformance profiles spreadsheet matches the
>     currently deployed testing software.
>     -- Mike
>     <OpenID Connect Conformance Features (version 5.2).xlsx>
>     _______________________________________________
>     Openid-specs-ab mailing list
>     Openid-specs-ab at lists.openid.net
>     <mailto:Openid-specs-ab at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150215/3ec74041/attachment.html>

More information about the Openid-specs-ab mailing list