[Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?

n-sakimura n-sakimura at nri.co.jp
Fri Sep 14 06:08:27 UTC 2018

I see, so these tests are not organized according to the security requirements of the implementations but according to the test environment logistics…

That makes me think that just having Basic certification is not enough from a security reviewer’s point of view.


From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> On Behalf Of Mike Jones via Openid-specs-ab
Sent: Thursday, September 13, 2018 5:39 AM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Cc: Mike Jones <Michael.Jones at microsoft.com>
Subject: Re: [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?

It’s in Dynamic because it’s straightforward to test when dynamic client registration is supported.  When it is, the test tool can register multiple redirect_uri values.  When dynamic client registration isn’t supported, the client typically only has a single redirect_uri value.

Yes, it’s relevant all the time, but testing it isn’t really practical otherwise.

                                                       -- Mike

From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> On Behalf Of Nat Sakimura via Openid-specs-ab
Sent: Thursday, August 30, 2018 11:51 PM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net> Ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Cc: Nat Sakimura <sakimura at gmail.com<mailto:sakimura at gmail.com>>
Subject: [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?


I just started to look at the conformance profile 3.0 [1].

[1] http://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf

There is a test 'OP-redirect_uri-Missing' which tests whether the OP Reject request without redirect_uri when multiple registered. It is only required in the Dynamic profile and not in Basic etc. Is there any particular reason for this? I think this test is also relevant to Basic etc.

Best regards,

Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180914/eaf64a5b/attachment-0001.html>

More information about the Openid-specs-ab mailing list