[Openid-specs-ab] Issue #193: important tests missing (openid/certification)

panva issues-reply at bitbucket.org
Thu Feb 16 12:51:09 UTC 2017

New issue 193: important tests missing


I found myself fixing a bug in my RP library yesterday that lead to me discovering I am missing important assertions for ID Token claims.

I believe implicit and hybrid tests that test at_hash and c_hash values should be accompanied by tests that verify the RP library fails to validate a token that is completely missing these claims.

proposed tests:

**Description**: Make an authentication request using response_type='id_token token' for Implicit Flow or response_type='code id_token token' for Hybrid Flow. Verify the 'at_hash' presence in the returned ID Token.  
**Info**: Identify missing 'at_hash' value and reject the ID Token.

**Description**: Retrieve Authorization Code and ID Token from the Authorization Endpoint, using Hybrid Flow. Verify the c_hash presence in the returned ID token.  
**Info**: Identify missing 'c_hash' value and reject the ID Token.

More information about the Openid-specs-ab mailing list