[Openid-specs-ab] Issue #193: important tests missing (openid/certification)
issues-reply at bitbucket.org
Thu Feb 16 12:51:09 UTC 2017
New issue 193: important tests missing
I found myself fixing a bug in my RP library yesterday that lead to me discovering I am missing important assertions for ID Token claims.
I believe implicit and hybrid tests that test at_hash and c_hash values should be accompanied by tests that verify the RP library fails to validate a token that is completely missing these claims.
**Description**: Make an authentication request using response_type='id_token token' for Implicit Flow or response_type='code id_token token' for Hybrid Flow. Verify the 'at_hash' presence in the returned ID Token.
**Info**: Identify missing 'at_hash' value and reject the ID Token.
**Description**: Retrieve Authorization Code and ID Token from the Authorization Endpoint, using Hybrid Flow. Verify the c_hash presence in the returned ID token.
**Info**: Identify missing 'c_hash' value and reject the ID Token.
More information about the Openid-specs-ab