[Openid-specs-fapi] FAPI certification testing for refresh tokens

Filip Skokan panva.ip at gmail.com
Fri Jun 28 14:41:07 UTC 2019

Hi Joseph,

can you clarify if you're talking about refresh tokens in general or the
scope offline_access + prompt consent condition of OIDC?

S pozdravem,
*Filip Skokan*

On Fri, 28 Jun 2019 at 16:29, Joseph Heenan <joseph at authlete.com> wrote:

> A question has arisen about exactly how refresh tokens should be tested in
> the FAPI-RW conformance suite (tests for this are currently being written,
> a suggestion Dave Tonge originally made as many banks in the UK ecosystem
> are able to issue refresh tokens, and I presume in some cases not
> correctly...).
> As support of refresh tokens is entirely optional in FAPI, the question is
> essentially: “what should happen if the AS doesn’t issue a refresh token?”
> The options seem to be:
> 1) The test is marked as passed (I’m not in favour of this option as it
> may well be that the tester has accidentally registered the clients without
> the refresh token grant)
> 2) The test fails if the discovery document indicates the server supports
> refresh tokens (on the grounds that it indicates that the client has been
> wrongly configured and if the server supports refresh tokens they
> conformance suite must be able to test them - note that discovery is also
> optional in FAPI-RW, though I’m questioning whether this should be the
> case:
> https://bitbucket.org/openid/fapi/issues/239/fapi-part-2-should-mention-require
> - the counter argument is that potentially ASs may support refresh tokens
> but only for non-FAPI-RW use cases)
> 3) Same as ‘2’ but make it a warning instead of a failure (essentially
> suggesting that it may be okay but certificatee should be able to give a
> good reason why refresh tokens aren’t issued in their server when FAPI-RW
> is in use)
> 4) The test is marked as “not testable” or some similar phrase, probably
> resulting in a similar conversation as for ‘3’.
> Does anyone have any thoughts please?
> Thanks
> Joseph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190628/1b1e91c2/attachment.html>

More information about the Openid-specs-fapi mailing list