[Openid-specs-ab] RP Certification has launched to Pilot Phase

Hans Zandbelt hzandbelt at pingidentity.com
Tue Dec 13 15:06:22 UTC 2016


sorry, I missed most of this thread because it ended up in my spam folder

I am doing a thing similar to Filip: the test harness has knowledge about
the expected result in the client log files, which may be an error. My test
harness script is here:
https://github.com/pingidentity/mod_auth_openidc/blob/master/test/oidc-rp-certification.sh
and
sample output is here:
https://github.com/pingidentity/mod_auth_openidc/blob/master/test/oidc-rp-certification.log
.

I don't think it provides more transparency to standardize the test harness
output log format but perhaps it makes it easier to compare across
different RP implementations.

Hans.

On Sat, Dec 10, 2016 at 1:10 PM, Filip via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> I've prepared example output
> <https://gist.github.com/panva/b047e176f612d817c68ca57412ffcd2a> of the
> current test suite and included the tests you refer to as examples. Two
> outputs - one where all pass, other when two tests fail.
>
> In essence i'm just working around a test framework <https://mochajs.org/> and
> assert what's described in 'Expected result' actually happens, hence the
> current barebone output. It is possible to enrich the results with more
> verbose output, push these into files similar to what the RP tool exposes -
> per test .log, every test would output the steps and assertions that are
> being taken. I'm assuming others can do the same or similar.
>
> I come to think a detailed verbose output of the RP is even more of an
> evidence of a compliant RP behavior than a screenshot of just the result.
> Now to come up with what's necessary in the log file to validate the
> behavior, a standardized format for the messages.
>
> Best,
> *Filip Skokan*
>
> On Sat, Dec 10, 2016 at 2:46 AM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
>> Hans Zandbelt and I have also exchanged thoughts on this and he’d also
>> like the option to submit RP-collected logs rather than screen shots as
>> auditable evidence of compliant RP behavior.  I’ll work on proposed
>> language for the instructions allowing this possibility.  I’ll be looking
>> forward to your feedback on it.
>>
>>
>>
>> It seems like your test harness must have knowledge of which tests
>> succeed by detecting negative outcomes (such as rp-id_token-bad-sig-rs256
>> and rp-id_token-issuer-mismatch) and which succeed by detecting positive
>> outcomes (such as rp-nonce-unless-code-flow and
>> rp-token_endpoint-client_secret_basic).  Could you share your
>> categorization with the working group?  Hans, you must have this
>> information too.  Can you do the same?  I plan to use this list in the
>> updated instructions to describe how people can verify the expected
>> outcomes of the tests.
>>
>>
>>
>>                                                                 Thanks
>> all,
>>
>>                                                                 -- Mike
>>
>>
>>
>> *From:* Filip [mailto:panva.ip at gmail.com]
>> *Sent:* Thursday, December 08, 2016 10:41 AM
>> *To:* Mike Jones
>> *Cc:* Roland Hedberg; openid-specs-ab at lists.openid.net
>>
>> *Subject:* Re: [Openid-specs-ab] RP Certification has launched to Pilot
>> Phase
>>
>>
>>
>> In my suite
>>
>>
>>
>> When the test focuses on returned data (green path) then the data
>> presence simply being asserted by the suite. Any errors encountered during
>> the test run resolve in the test failing to finish, outputting the failed
>> assertion.
>>
>>
>>
>> When the test focuses on an error being thrown by the library, the part
>> of the code that is supposed to throw is wrapped in a try / catch, with an
>> ensuring throw right after the statement that is expected to throw in the
>> first place, ensuring there's always an error thrown. In the catch block i
>> assert the error being thrown to be the expected one together with it's
>> message. Should the expected exception not happen, the ensuring one will
>> and the assertion for expected message fails.
>>
>>
>>
>> Trying to understand the screenshots that you have in mind, are you
>> expecting a screenshot from a user-agent? Or a console log outputting the
>> expected data/error, or something completely different?
>>
>>
>> Best,
>> *Filip Skokan*
>>
>>
>>
>> On Thu, Dec 8, 2016 at 7:27 PM, Mike Jones <Michael.Jones at microsoft.com>
>> wrote:
>>
>> I'd like to know more about how your test harness code verifies the
>> invariants and logs that they were met.  The main thing that the screen
>> shots are trying to achieve are transparency - that anyone can verify that
>> your implementation got it right.  If there's another way of achieving that
>> transparency, I'm sure that the working group would entertain it.
>> Hopefully this would be easier than having to have third parties read your
>> test harness code.
>>
>> If we can simplify things for developers while maintaining transparency,
>> I'm all for it.
>>
>>                                 Your thoughts?
>>                                 -- Mike
>>
>>
>> -----Original Message-----
>> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net]
>> On Behalf Of Roland Hedberg via Openid-specs-ab
>> Sent: Thursday, December 8, 2016 8:06 AM
>> To: Filip <panva.ip at gmail.com>
>> Cc: openid-specs-ab at lists.openid.net
>> Subject: Re: [Openid-specs-ab] RP Certification has launched to Pilot
>> Phase
>>
>>
>> > 8 dec. 2016 kl. 13:48 skrev Filip via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net>:
>> >
>> > Hello Mike, everyone,
>> >
>> > in case of a library, rather than a deployment being tested, the
>> interface provided by Roland is excellent for writing a suite like so that
>> executes one test after the other in a ”spec” like manner, without any
>> browser involvement, seeing how it is expected to submit image proofs of
>> thrown errors is the described testing not eligible for certification
>> submission?
>>
>> I have a similar suite as Filip for running tests on my library against
>> the test tool and I think Hans might also.
>> So, that is definitely a reasonable, if not even the preferred, use case.
>>
>> > Of course it is entirely possible to rewrite the test suite to use a
>> browser and capture the results there instead, but i think providing the
>> codebase used for executing the tests and it's output where the executed
>> assertions for each test are clearly marked could serve as proof as well.
>> >
>> > What do you think?
>> >
>> > Best,
>> > Filip Skokan
>> >
>> > On Thu, Dec 8, 2016 at 12:17 PM, Mike Jones via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>> > There are now complete RP certification submission instructions at
>> http://openid.net/certification/rp_submission/ and updated example
>> submissions showing RP certifications referenced from it at
>> http://openid.net/wordpress-content/uploads/2016/12/Certific
>> ation-Submission-Examples.pdf.  This means that we’re ready to accept
>> real RP certification submissions!
>> >
>> >
>> >
>> > Hans, Edmund, Filip, Rich (and of course Roland) – you’ve been actively
>> testing.  I encourage you to now take the final step to submit actual RP
>> certification applications (thereby testing the instructions).  Please
>> contact me (and possibly also Roland) if you have any questions about the
>> instructions or suggestions on how to make them better.  All other members
>> are likewise encouraged to likewise participate in the pilot phase, during
>> which RP certifications are free.
>> >
>> >
>> >
>> > A huge thanks to Roland and the early testers for getting us to this
>> point – especially Hans and Edmund!
>> >
>> >
>> >
>> > We’ll talk about this progress and related items on the Connect working
>> group call in 3.75 hours…
>> >
>> >
>> >
>> >                                                        -- Mike
>> >
>> >
>> > _______________________________________________
>> > Openid-specs-ab mailing list
>> > Openid-specs-ab at lists.openid.net
>> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> >
>> >
>> > _______________________________________________
>> > Openid-specs-ab mailing list
>> > Openid-specs-ab at lists.openid.net
>> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>> -- Roland
>> "Education is the path from cocky ignorance to miserable uncertainty.” -
>> Mark Twain
>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>


-- 
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Hans Zandbelt
Principal Solutions Architect
hzandbelt at pingidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161213/938553a9/attachment.html>


More information about the Openid-specs-ab mailing list