[Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?

Mike Jones Michael.Jones at microsoft.com
Fri Sep 14 23:30:37 UTC 2018


The tests were chosen precisely by the working group looking at interoperability and security requirements for implementations.  The original set of test profile definitions at http://openid.net/wordpress-content/uploads/2015/03/OpenID-Connect-Conformance-Profiles.pdf were developed by the working group with these goals and new versions have continued these goal while adding tests and profiles, including through the current profile definitions at https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf.

This isn’t a static process.  Indeed session management, back-channel logout, and front-channel logout profile definitions will be circulated to the working group for review shortly as a result of discussions at the in-person certification engineering meeting this week in London.

Yes, it’s always the case that more tests can be added to help prevent the possibilities of additional interop and security issues.  The certification committee always welcomes input on how to most effectively expand the scope of what’s being tested.  Feel free to file issues about bugs and suggestions at https://github.com/openid-certification/oidctest/issues.

That said, of course no amount of testing can guarantee that security bugs aren’t present.  But we do try to rule out the likely ones!

                                                       -- Mike

From: n-sakimura <n-sakimura at nri.co.jp>
Sent: Thursday, September 13, 2018 11:08 PM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Cc: Mike Jones <Michael.Jones at microsoft.com>
Subject: RE: [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?

I see, so these tests are not organized according to the security requirements of the implementations but according to the test environment logistics…

That makes me think that just having Basic certification is not enough from a security reviewer’s point of view.

Nat

From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> On Behalf Of Mike Jones via Openid-specs-ab
Sent: Thursday, September 13, 2018 5:39 AM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Cc: Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
Subject: Re: [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?

It’s in Dynamic because it’s straightforward to test when dynamic client registration is supported.  When it is, the test tool can register multiple redirect_uri values.  When dynamic client registration isn’t supported, the client typically only has a single redirect_uri value.

Yes, it’s relevant all the time, but testing it isn’t really practical otherwise.

                                                       -- Mike

From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> On Behalf Of Nat Sakimura via Openid-specs-ab
Sent: Thursday, August 30, 2018 11:51 PM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net> Ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Cc: Nat Sakimura <sakimura at gmail.com<mailto:sakimura at gmail.com>>
Subject: [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?

Hi

I just started to look at the conformance profile 3.0 [1].

[1] http://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf

There is a test 'OP-redirect_uri-Missing' which tests whether the OP Reject request without redirect_uri when multiple registered. It is only required in the Dynamic profile and not in Basic etc. Is there any particular reason for this? I think this test is also relevant to Basic etc.

Best regards,

--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180914/c02bb487/attachment.html>


More information about the Openid-specs-ab mailing list