[Openid-specs-ab] RP Tests: ID Token signature validation for code flow

Dominick Baier dbaier at leastprivilege.com
Sun May 7 09:27:11 UTC 2017


how about you guys agree on something first - and then we can follow ;)


-------
Dominick Baier

On 3. May 2017 at 20:54:18, Hans Zandbelt (hans.zandbelt at zmartzone.eu)
wrote:

Just to make sure, I hope you're referring to running a local Docker
instance?

I disagree with Roland on using the official certification servers for
continuous integration tests of participants: it will make it harder to
troubleshoot, harder to do maintenance, harder to guard system resources
and it is simply not what the certification server is meant for. Since
we've had trouble with stability in the past and since I've been tasked
with operational maintenance of the test servers, I will vote against that.

Of course I'd very much welcome any feedback on how to improve the Docker
variant(s) of the test suite since continuous integration is exactly the
reason why we've added that in the first place (incl. continuous
integration testing of the test suite itself). That is still a work in
progress but rapidly becoming useful.

Hans.

On Wed, May 3, 2017 at 8:34 PM, Dominick Baier via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi Roland,
>
> OK - I am happy to do give that a try. I also like the idea.
>
>
> -------
> Dominick Baier
>
> On 3. May 2017 at 17:47:29, Roland Hedberg (roland at catalogix.se) wrote:
>
> Dominick,
>
> as I said in a discussion with William the other day. I’m not sure there
> will be a performance issue if you where to run
> against the OIDF test server. Most of things happening are network based
> events so the load on the machine is minor.
> The only thing we might have a problem with is the size of the log files
> vs the available disc space.
> But rotating the logs should take care of that.
> Now, there are reasons why you may want to this locally and as Hans wrote
> in another mail he’s working on making that easier.
> The bottom line being that there is absolutely no reason why you wouldn’t
> include the test suite into your continues-integration pipeline :-) :-)
>
> 3 maj 2017 kl. 07:46 skrev Dominick Baier via Openid-specs-ab <
> openid-specs-ab at lists.openid.net>:
>
> > Incidentally, one of the cool things about how we implemented these
> tests in AppAuth, is that we actually *built them into our
> continuous-integration testing pipeline*.
>
> I thought about this too - but I actually didn’t want to produce load all
> the time I am doing a check-in into the repo. I added a test runner to the
> source code, so anyone can manually start the tests when needed.
>
>
> -------
> Dominick Baier
>
> On 1. May 2017 at 18:55:08, William Denniss via Openid-specs-ab (
> openid-specs-ab at lists.openid.net) wrote:
>
> Sorry we didn't get a chance to talk in Chicago on this topic Mike, my
> trip was all too brief. I'll be around this week though, hopefully we can
> discuss this with the relevant parties.
>
> As of yesterday, AppAuth for iOS and macOS is now passing
> <https://github.com/openid/AppAuth-iOS/pull/101> all but those 4
> signature verification tests in the "code" profile. I'm preparing the
> certification packet, once we have a final decision on the optionality of
> those tests, I'm hoping to certify.
>
> Incidentally, one of the cool things about how we implemented these tests
> in AppAuth, is that we actually *built them into our
> continuous-integration testing pipeline*. The conformance tests run
> alongside our unit tests for every release, and every git push. The
> certification log output is automatic too, meaning anyone can run the
> certification tests and produce the same output at the click of a button.
>
> I think this is a huge value-add for the RP certification program.
> Previously we only had unit tests in the library, no end-to-end tests due
> to the fact we didn't have an OP with interaction-less responses that we
> could use for automated testing. The RP certification program has made this
> available, and by using it, our test coverage is vastly improved.
>
> Thank you Roland, Mike, the Foundation and everyone who is working on
> this, it's a very valuable effort!
>
> Best,
> William
>
>
>
> On Sun, Mar 26, 2017 at 1:29 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
>> One thought is that this maybe should depend upon how the RP registers.
>> If it registers with support for signature algorithms, then that support
>> should be tested – even for response_type=code.  If it registers only with
>> support for “alg”: “none”, then it obviously can’t be tested then.
>>
>>
>> My logic is that if the RP can check signatures, the OP provides a bad
>> signature, and the RP doesn’t catch it, that seems like a scenario what
>> shouldn’t pass certification.  Let’s talk about this in person in Chicago
>> this week.  I’d love to hear what others think about this as well.
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net]
>>  *On Behalf Of* William Denniss via Openid-specs-ab
>> *Sent:* Sunday, March 26, 2017 11:13 AM
>> *To:* openid-specs-ab at lists.openid.net
>> *Subject:* [Openid-specs-ab] RP Tests: ID Token signature validation for
>> code flow
>>
>>
>> Regarding the 'code' response type tests
>> <https://rp.certification.openid.net:8080/list?profile=C>, my
>> understanding is that it's not necessary to validate the ID Token signature
>> as it was obtained via a HTTPS connection to the OP.
>>
>>
>> This test follows that logic:
>>
>> rp-id_token-sig-none
>>
>>
>> However, these 4 tests assume signature validation for the code flow:
>>
>> rp-id_token-kid-absent-single-jwks
>> rp-id_token-kid-absent-multiple-jwks
>> rp-id_token-bad-sig-rs256
>> rp-id_token-sig-rs256
>>
>>
>> Can they be made optional for the 'code' response type tests?
>>
>>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>


--
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170507/f1cfdd4c/attachment.html>


More information about the Openid-specs-ab mailing list