[Openid-specs-ab] RP Certification has launched to Pilot Phase

Roland Hedberg roland at catalogix.se
Sun Dec 18 08:03:17 UTC 2016


> On 13 Dec 2016, at 16:06, Hans Zandbelt via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> sorry, I missed most of this thread because it ended up in my spam folder 
> 
> I am doing a thing similar to Filip: the test harness has knowledge about the expected result in the client log files, which may be an error. My test harness script is here: https://github.com/pingidentity/mod_auth_openidc/blob/master/test/oidc-rp-certification.sh <https://github.com/pingidentity/mod_auth_openidc/blob/master/test/oidc-rp-certification.sh> and sample output is here: https://github.com/pingidentity/mod_auth_openidc/blob/master/test/oidc-rp-certification.log <https://github.com/pingidentity/mod_auth_openidc/blob/master/test/oidc-rp-certification.log>.

I do similar things too what Hans and Filip are doing.
Since I already had a ‘test harness’ from writing the OP test suite, I’ve reused that.

> I don't think it provides more transparency to standardize the test harness output log format but perhaps it makes it easier to compare across different RP implementations.

Yes to both !

> Hans.
> 
> On Sat, Dec 10, 2016 at 1:10 PM, Filip via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> I've prepared example output <https://gist.github.com/panva/b047e176f612d817c68ca57412ffcd2a> of the current test suite and included the tests you refer to as examples. Two outputs - one where all pass, other when two tests fail.
> 
> In essence i'm just working around a test framework <https://mochajs.org/> and assert what's described in 'Expected result' actually happens, hence the current barebone output. It is possible to enrich the results with more verbose output, push these into files similar to what the RP tool exposes - per test .log, every test would output the steps and assertions that are being taken. I'm assuming others can do the same or similar.
> 
> I come to think a detailed verbose output of the RP is even more of an evidence of a compliant RP behavior than a screenshot of just the result. Now to come up with what's necessary in the log file to validate the behavior, a standardized format for the messages.
> 
> Best,
> Filip Skokan
> 
> On Sat, Dec 10, 2016 at 2:46 AM, Mike Jones <Michael.Jones at microsoft.com <mailto:Michael.Jones at microsoft.com>> wrote:
> Hans Zandbelt and I have also exchanged thoughts on this and he’d also like the option to submit RP-collected logs rather than screen shots as auditable evidence of compliant RP behavior.  I’ll work on proposed language for the instructions allowing this possibility.  I’ll be looking forward to your feedback on it.
> 
>  
> 
> It seems like your test harness must have knowledge of which tests succeed by detecting negative outcomes (such as rp-id_token-bad-sig-rs256 and rp-id_token-issuer-mismatch) and which succeed by detecting positive outcomes (such as rp-nonce-unless-code-flow and rp-token_endpoint-client_secret_basic).  Could you share your categorization with the working group?  Hans, you must have this information too.  Can you do the same?  I plan to use this list in the updated instructions to describe how people can verify the expected outcomes of the tests.
> 
>  
> 
>                                                                 Thanks all,
> 
>                                                                 -- Mike
> 
>  
> 
> From: Filip [mailto:panva.ip at gmail.com <mailto:panva.ip at gmail.com>] 
> Sent: Thursday, December 08, 2016 10:41 AM
> To: Mike Jones
> Cc: Roland Hedberg; openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>
> 
> Subject: Re: [Openid-specs-ab] RP Certification has launched to Pilot Phase
> 
>  
> 
> In my suite
> 
>  
> 
> When the test focuses on returned data (green path) then the data presence simply being asserted by the suite. Any errors encountered during the test run resolve in the test failing to finish, outputting the failed assertion.
> 
>  
> 
> When the test focuses on an error being thrown by the library, the part of the code that is supposed to throw is wrapped in a try / catch, with an ensuring throw right after the statement that is expected to throw in the first place, ensuring there's always an error thrown. In the catch block i assert the error being thrown to be the expected one together with it's message. Should the expected exception not happen, the ensuring one will and the assertion for expected message fails.
> 
>  
> 
> Trying to understand the screenshots that you have in mind, are you expecting a screenshot from a user-agent? Or a console log outputting the expected data/error, or something completely different?
> 
> 
> 
> Best,
> Filip Skokan
> 
>  
> 
> On Thu, Dec 8, 2016 at 7:27 PM, Mike Jones <Michael.Jones at microsoft.com <mailto:Michael.Jones at microsoft.com>> wrote:
> 
> I'd like to know more about how your test harness code verifies the invariants and logs that they were met.  The main thing that the screen shots are trying to achieve are transparency - that anyone can verify that your implementation got it right.  If there's another way of achieving that transparency, I'm sure that the working group would entertain it.  Hopefully this would be easier than having to have third parties read your test harness code.
> 
> If we can simplify things for developers while maintaining transparency, I'm all for it.
> 
>                                 Your thoughts?
>                                 -- Mike
> 
> 
> -----Original Message-----
> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net <mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of Roland Hedberg via Openid-specs-ab
> Sent: Thursday, December 8, 2016 8:06 AM
> To: Filip <panva.ip at gmail.com <mailto:panva.ip at gmail.com>>
> Cc: openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>
> Subject: Re: [Openid-specs-ab] RP Certification has launched to Pilot Phase
> 
> 
> > 8 dec. 2016 kl. 13:48 skrev Filip via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>>:
> >
> > Hello Mike, everyone,
> >
> > in case of a library, rather than a deployment being tested, the interface provided by Roland is excellent for writing a suite like so that executes one test after the other in a ”spec” like manner, without any browser involvement, seeing how it is expected to submit image proofs of thrown errors is the described testing not eligible for certification submission?
> 
> I have a similar suite as Filip for running tests on my library against the test tool and I think Hans might also.
> So, that is definitely a reasonable, if not even the preferred, use case.
> 
> > Of course it is entirely possible to rewrite the test suite to use a browser and capture the results there instead, but i think providing the codebase used for executing the tests and it's output where the executed assertions for each test are clearly marked could serve as proof as well.
> >
> > What do you think?
> >
> > Best,
> > Filip Skokan
> >
> > On Thu, Dec 8, 2016 at 12:17 PM, Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> > There are now complete RP certification submission instructions at http://openid.net/certification/rp_submission/ <http://openid.net/certification/rp_submission/> and updated example submissions showing RP certifications referenced from it at http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf <http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf>.  This means that we’re ready to accept real RP certification submissions!
> >
> >
> >
> > Hans, Edmund, Filip, Rich (and of course Roland) – you’ve been actively testing.  I encourage you to now take the final step to submit actual RP certification applications (thereby testing the instructions).  Please contact me (and possibly also Roland) if you have any questions about the instructions or suggestions on how to make them better.  All other members are likewise encouraged to likewise participate in the pilot phase, during which RP certifications are free.
> >
> >
> >
> > A huge thanks to Roland and the early testers for getting us to this point – especially Hans and Edmund!
> >
> >
> >
> > We’ll talk about this progress and related items on the Connect working group call in 3.75 hours…
> >
> >
> >
> >                                                        -- Mike
> >
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> >
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> 
> -- Roland
> "Education is the path from cocky ignorance to miserable uncertainty.” - Mark Twain
> 
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>  
> 
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> 
> 
> 
> 
> -- 
>  <https://www.pingidentity.com/> <https://www.pingidentity.com/>	
> Hans Zandbelt	
> Principal Solutions Architect	
> hzandbelt at pingidentity.com <mailto:hzandbelt at pingidentity.com>	
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161218/d58079fd/attachment-0001.html>


More information about the Openid-specs-ab mailing list