[OpenID] openid server conformance testing or 'black box' unit tests?
Johnny Bufu
johnny at sxip.com
Mon Apr 2 19:49:23 UTC 2007
On 2-Apr-07, at 12:27 PM, Kevin Turner wrote:
> On Fri, 2007-03-30 at 19:48 -0700, Johnny Bufu wrote:
>
>> - the openid.session_type param is missing from the association
>> request (if I'm reading the specs right, it's not optional in either
>> OpenID 1.x or 2.0)
>
> My reading is that anything that defines a default is optional.
> (otherwise, when does the default apply?)
My interpretation is that defaults should apply when the user of the
library (RP in this case) doesn't make a conscious decision over what
type session it prefers -- the library choses the default for them.
It's also confusing in the v1 spec - the assoc_type param (just above
session_type) is marked "optional" *and* with a "default" value.
> There is a default value for this in 1.1, but I think not in 2.0.
Right, so this would be another difference between the two; unless we
patch it in OpenID2.
>> However, I think the test script / page should accept a blank value
>> for the session param.
>
> I think you're right. I also feel that passing null values with this
> protocol is an odd thing to do and I would discourage it, but it
> probably should be accepted as a valid value.
I don't have a preference for blank values over absent params (they
are equally bad in my opinion). Do you know what the most common
value is for session_type in no-encryption association responses in
the wild?
Thanks,
Johnny
More information about the general
mailing list