[Openid-specs-ab] RP Tests: ID Token signature validation for code flow

Hans Zandbelt hans.zandbelt at zmartzone.eu
Wed May 3 14:59:29 UTC 2017


we're in the process of "dockerizing" the test suite so you'd be able to
run it locally or in Travis CI and make it an all-inclusive part of the
pipeline without stressing the certification server itself, see:
https://github.com/zmartzone/oidctest/tree/travis-ci-squash/docker
FWIW: the actual certification would still need to happen at those servers
though

Hans.

On Wed, May 3, 2017 at 4:46 PM, Dominick Baier via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> > Incidentally, one of the cool things about how we implemented these
> tests in AppAuth, is that we actually *built them into our
> continuous-integration testing pipeline*.
>
> I thought about this too - but I actually didn’t want to produce load all
> the time I am doing a check-in into the repo. I added a test runner to the
> source code, so anyone can manually start the tests when needed.
>
>
> -------
> Dominick Baier
>
> On 1. May 2017 at 18:55:08, William Denniss via Openid-specs-ab (
> openid-specs-ab at lists.openid.net) wrote:
>
> Sorry we didn't get a chance to talk in Chicago on this topic Mike, my
> trip was all too brief. I'll be around this week though, hopefully we can
> discuss this with the relevant parties.
>
> As of yesterday, AppAuth for iOS and macOS is now passing
> <https://github.com/openid/AppAuth-iOS/pull/101> all but those 4
> signature verification tests in the "code" profile. I'm preparing the
> certification packet, once we have a final decision on the optionality of
> those tests, I'm hoping to certify.
>
> Incidentally, one of the cool things about how we implemented these tests
> in AppAuth, is that we actually *built them into our
> continuous-integration testing pipeline*. The conformance tests run
> alongside our unit tests for every release, and every git push. The
> certification log output is automatic too, meaning anyone can run the
> certification tests and produce the same output at the click of a button.
>
> I think this is a huge value-add for the RP certification program.
> Previously we only had unit tests in the library, no end-to-end tests due
> to the fact we didn't have an OP with interaction-less responses that we
> could use for automated testing. The RP certification program has made this
> available, and by using it, our test coverage is vastly improved.
>
> Thank you Roland, Mike, the Foundation and everyone who is working on
> this, it's a very valuable effort!
>
> Best,
> William
>
>
>
> On Sun, Mar 26, 2017 at 1:29 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
>> One thought is that this maybe should depend upon how the RP registers.
>> If it registers with support for signature algorithms, then that support
>> should be tested – even for response_type=code.  If it registers only with
>> support for “alg”: “none”, then it obviously can’t be tested then.
>>
>>
>>
>> My logic is that if the RP can check signatures, the OP provides a bad
>> signature, and the RP doesn’t catch it, that seems like a scenario what
>> shouldn’t pass certification.  Let’s talk about this in person in Chicago
>> this week.  I’d love to hear what others think about this as well.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net]
>> *On Behalf Of* William Denniss via Openid-specs-ab
>> *Sent:* Sunday, March 26, 2017 11:13 AM
>> *To:* openid-specs-ab at lists.openid.net
>> *Subject:* [Openid-specs-ab] RP Tests: ID Token signature validation for
>> code flow
>>
>>
>>
>> Regarding the 'code' response type tests
>> <https://rp.certification.openid.net:8080/list?profile=C>, my
>> understanding is that it's not necessary to validate the ID Token signature
>> as it was obtained via a HTTPS connection to the OP.
>>
>>
>>
>> This test follows that logic:
>>
>> rp-id_token-sig-none
>>
>>
>>
>> However, these 4 tests assume signature validation for the code flow:
>>
>> rp-id_token-kid-absent-single-jwks
>> rp-id_token-kid-absent-multiple-jwks
>> rp-id_token-bad-sig-rs256
>> rp-id_token-sig-rs256
>>
>>
>>
>> Can they be made optional for the 'code' response type tests?
>>
>>
>>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>


-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170503/b3f092f6/attachment-0001.html>


More information about the Openid-specs-ab mailing list