[Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?

Hans Zandbelt hans.zandbelt at zmartzone.eu
Sat Sep 15 06:59:01 UTC 2018


My 2 cents, as a member of the certification team:

Adding OP-redirect_uri-Missing for static registrations means that the OP
tester himself would have to indicate in the configuration whether or not
he registered multiple redirect URIs for the test suite and as such whether
or not he actually wants to run this test. This also means that
implementations can certify regardless of OP-redirect_uri-Missing being
included in the results [1].

The large number of sites not doing dynamic client registration would still
run all of the other (more useful...[2]) tests which are actually required
for certification.

As Mike suggested, feel free to add an enhancement request at:
https://github.com/openid-certification/oidctest/issues [3].

Hans.

[1]
Certification experience learned that 90% of the testers would not turn on
this test because they either don't know enough about it or don't care
because they just want to pass with minimal effort. This test would be for
the 10% who cares and e.g. wants to include it in their continuous
integration testing.

[2]
Personally I'd argue that missing redirect URI behavior is more about
completeness of spec implementation than the goal of the certification
program: improving interoperability and security. Also: the vast majority
of Clients out there uses a single redirect URI.

[3]
With the addition of form_post tests, the test tool also started to use
multiple redirect URIs so we could look into automatically enabling
OP-redirect_uri-Missing for OPs that use static registration and that have
enabled form_post testing the configuration

On Sat, Sep 15, 2018 at 1:48 AM Tom Jones via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Are you at.all concerned that requiring dynamic will exclude a large
> number of sites that have no interest in implementation of this unpopular
> option?
>
> thx ..Tom (mobile)
>
> On Fri, Sep 14, 2018, 4:30 PM Mike Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> The tests were chosen precisely by the working group looking at
>> interoperability and security requirements for implementations.  The
>> original set of test profile definitions at
>> http://openid.net/wordpress-content/uploads/2015/03/OpenID-Connect-Conformance-Profiles.pdf
>> were developed by the working group with these goals and new versions have
>> continued these goal while adding tests and profiles, including through the
>> current profile definitions at
>> https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf
>> .
>>
>>
>>
>> This isn’t a static process.  Indeed session management, back-channel
>> logout, and front-channel logout profile definitions will be circulated to
>> the working group for review shortly as a result of discussions at the
>> in-person certification engineering meeting this week in London.
>>
>>
>>
>> Yes, it’s always the case that more tests can be added to help prevent
>> the possibilities of additional interop and security issues.  The
>> certification committee always welcomes input on how to most effectively
>> expand the scope of what’s being tested.  Feel free to file issues about
>> bugs and suggestions at
>> https://github.com/openid-certification/oidctest/issues.
>>
>>
>>
>> That said, of course no amount of testing can guarantee that security
>> bugs aren’t present.  But we do try to rule out the likely ones!
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* n-sakimura <n-sakimura at nri.co.jp>
>> *Sent:* Thursday, September 13, 2018 11:08 PM
>> *To:* Artifact Binding/Connect Working Group <
>> openid-specs-ab at lists.openid.net>
>> *Cc:* Mike Jones <Michael.Jones at microsoft.com>
>> *Subject:* RE: [Openid-specs-ab] Certification question:
>> 'OP-redirect_uri-Missing' only in Dynamic?
>>
>>
>>
>> I see, so these tests are not organized according to the security
>> requirements of the implementations but according to the test environment
>> logistics…
>>
>>
>>
>> That makes me think that just having Basic certification is not enough
>> from a security reviewer’s point of view.
>>
>>
>>
>> Nat
>>
>>
>>
>> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
>> Behalf Of *Mike Jones via Openid-specs-ab
>> *Sent:* Thursday, September 13, 2018 5:39 AM
>> *To:* Artifact Binding/Connect Working Group <
>> openid-specs-ab at lists.openid.net>
>> *Cc:* Mike Jones <Michael.Jones at microsoft.com>
>> *Subject:* Re: [Openid-specs-ab] Certification question:
>> 'OP-redirect_uri-Missing' only in Dynamic?
>>
>>
>>
>> It’s in Dynamic because it’s straightforward to test when dynamic client
>> registration is supported.  When it is, the test tool can register multiple
>> redirect_uri values.  When dynamic client registration isn’t supported, the
>> client typically only has a single redirect_uri value.
>>
>>
>>
>> Yes, it’s relevant all the time, but testing it isn’t really practical
>> otherwise.
>>
>>
>>
>>                                                        -- Mike
>>
>>
>>
>> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
>> Behalf Of *Nat Sakimura via Openid-specs-ab
>> *Sent:* Thursday, August 30, 2018 11:51 PM
>> *To:* openid-specs-ab at lists.openid.net Ab <
>> openid-specs-ab at lists.openid.net>
>> *Cc:* Nat Sakimura <sakimura at gmail.com>
>> *Subject:* [Openid-specs-ab] Certification question:
>> 'OP-redirect_uri-Missing' only in Dynamic?
>>
>>
>>
>> Hi
>>
>>
>>
>> I just started to look at the conformance profile 3.0 [1].
>>
>>
>>
>> [1]
>> http://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf
>>
>>
>>
>>
>> There is a test 'OP-redirect_uri-Missing' which tests whether the OP
>> Reject request without redirect_uri when multiple registered. It is only
>> required in the Dynamic profile and not in Basic etc. Is there any
>> particular reason for this? I think this test is also relevant to Basic
>> etc.
>>
>>
>>
>> Best regards,
>>
>>
>>
>> --
>>
>> Nat Sakimura (=nat)
>>
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>


-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180915/e3a1e9ca/attachment.html>


More information about the Openid-specs-ab mailing list