[Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?

Tom Jones thomasclinganjones at gmail.com
Fri Sep 14 23:47:40 UTC 2018


Are you at.all concerned that requiring dynamic will exclude a large number
of sites that have no interest in implementation of this unpopular option?

thx ..Tom (mobile)

On Fri, Sep 14, 2018, 4:30 PM Mike Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> The tests were chosen precisely by the working group looking at
> interoperability and security requirements for implementations.  The
> original set of test profile definitions at
> http://openid.net/wordpress-content/uploads/2015/03/OpenID-Connect-Conformance-Profiles.pdf
> were developed by the working group with these goals and new versions have
> continued these goal while adding tests and profiles, including through the
> current profile definitions at
> https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf
> .
>
>
>
> This isn’t a static process.  Indeed session management, back-channel
> logout, and front-channel logout profile definitions will be circulated to
> the working group for review shortly as a result of discussions at the
> in-person certification engineering meeting this week in London.
>
>
>
> Yes, it’s always the case that more tests can be added to help prevent the
> possibilities of additional interop and security issues.  The certification
> committee always welcomes input on how to most effectively expand the scope
> of what’s being tested.  Feel free to file issues about bugs and
> suggestions at https://github.com/openid-certification/oidctest/issues.
>
>
>
> That said, of course no amount of testing can guarantee that security bugs
> aren’t present.  But we do try to rule out the likely ones!
>
>
>
>                                                        -- Mike
>
>
>
> *From:* n-sakimura <n-sakimura at nri.co.jp>
> *Sent:* Thursday, September 13, 2018 11:08 PM
> *To:* Artifact Binding/Connect Working Group <
> openid-specs-ab at lists.openid.net>
> *Cc:* Mike Jones <Michael.Jones at microsoft.com>
> *Subject:* RE: [Openid-specs-ab] Certification question:
> 'OP-redirect_uri-Missing' only in Dynamic?
>
>
>
> I see, so these tests are not organized according to the security
> requirements of the implementations but according to the test environment
> logistics…
>
>
>
> That makes me think that just having Basic certification is not enough
> from a security reviewer’s point of view.
>
>
>
> Nat
>
>
>
> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
> Behalf Of *Mike Jones via Openid-specs-ab
> *Sent:* Thursday, September 13, 2018 5:39 AM
> *To:* Artifact Binding/Connect Working Group <
> openid-specs-ab at lists.openid.net>
> *Cc:* Mike Jones <Michael.Jones at microsoft.com>
> *Subject:* Re: [Openid-specs-ab] Certification question:
> 'OP-redirect_uri-Missing' only in Dynamic?
>
>
>
> It’s in Dynamic because it’s straightforward to test when dynamic client
> registration is supported.  When it is, the test tool can register multiple
> redirect_uri values.  When dynamic client registration isn’t supported, the
> client typically only has a single redirect_uri value.
>
>
>
> Yes, it’s relevant all the time, but testing it isn’t really practical
> otherwise.
>
>
>
>                                                        -- Mike
>
>
>
> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
> Behalf Of *Nat Sakimura via Openid-specs-ab
> *Sent:* Thursday, August 30, 2018 11:51 PM
> *To:* openid-specs-ab at lists.openid.net Ab <
> openid-specs-ab at lists.openid.net>
> *Cc:* Nat Sakimura <sakimura at gmail.com>
> *Subject:* [Openid-specs-ab] Certification question:
> 'OP-redirect_uri-Missing' only in Dynamic?
>
>
>
> Hi
>
>
>
> I just started to look at the conformance profile 3.0 [1].
>
>
>
> [1]
> http://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf
>
>
>
>
> There is a test 'OP-redirect_uri-Missing' which tests whether the OP
> Reject request without redirect_uri when multiple registered. It is only
> required in the Dynamic profile and not in Basic etc. Is there any
> particular reason for this? I think this test is also relevant to Basic
> etc.
>
>
>
> Best regards,
>
>
>
> --
>
> Nat Sakimura (=nat)
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180914/245ef85b/attachment-0001.html>


More information about the Openid-specs-ab mailing list