[Openid-specs-fapi] FAPI certification testing for refresh tokens
Filip Skokan
panva.ip at gmail.com
Fri Jun 28 14:41:07 UTC 2019
Hi Joseph,
can you clarify if you're talking about refresh tokens in general or the
scope offline_access + prompt consent condition of OIDC?
S pozdravem,
*Filip Skokan*
On Fri, 28 Jun 2019 at 16:29, Joseph Heenan <joseph at authlete.com> wrote:
> Hi FAPI WG,
>
> A question has arisen about exactly how refresh tokens should be tested in
> the FAPI-RW conformance suite (tests for this are currently being written,
> a suggestion Dave Tonge originally made as many banks in the UK ecosystem
> are able to issue refresh tokens, and I presume in some cases not
> correctly...).
>
> As support of refresh tokens is entirely optional in FAPI, the question is
> essentially: “what should happen if the AS doesn’t issue a refresh token?”
>
> The options seem to be:
>
> 1) The test is marked as passed (I’m not in favour of this option as it
> may well be that the tester has accidentally registered the clients without
> the refresh token grant)
>
> 2) The test fails if the discovery document indicates the server supports
> refresh tokens (on the grounds that it indicates that the client has been
> wrongly configured and if the server supports refresh tokens they
> conformance suite must be able to test them - note that discovery is also
> optional in FAPI-RW, though I’m questioning whether this should be the
> case:
> https://bitbucket.org/openid/fapi/issues/239/fapi-part-2-should-mention-require
> - the counter argument is that potentially ASs may support refresh tokens
> but only for non-FAPI-RW use cases)
>
> 3) Same as ‘2’ but make it a warning instead of a failure (essentially
> suggesting that it may be okay but certificatee should be able to give a
> good reason why refresh tokens aren’t issued in their server when FAPI-RW
> is in use)
>
> 4) The test is marked as “not testable” or some similar phrase, probably
> resulting in a similar conversation as for ‘3’.
>
> Does anyone have any thoughts please?
>
> Thanks
>
> Joseph
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190628/1b1e91c2/attachment.html>
More information about the Openid-specs-fapi
mailing list