[OpenID] Recommendation for future OpenID spec

Andrew Arnott andrewarnott at gmail.com
Wed Feb 11 00:03:52 UTC 2009 

In the interest of making it easier to automate compatibility testing of
OpenID RP libraries against many different OPs, what if something similar to
the following were added to the OpenID spec:


OpenID Providers should consider hosting the following OpenID Identifiers
for which positive or negative assertions will always be immediately
generated with no interaction with the user agent in order to provide RPs
under test to programmatically check their compatibility with your Provider:
http://provider/TestIdentifierAlwaysAssert  (or
http://TestIdentifierAlwaysAssert.provider/)
http://provider/TestIdentifierAlwaysRefuse (or
http://TestIdentifierAlwaysRefuse.provider/)
http://provider/TestIdentifierAssertOnSetup (or
http://TestIdentifierAssertOnSetup.provider/)

OpenID Relying Parties are recommended to default to rejecting these OpenID
test identifiers to avoid users using them for purposes of anonymous login.



I would love to write automated tests for DotNetOpenId that would check
compatibility before each release with some of the major OPs, but since each
OP requires login credentials, the only way I could automate it would be to
hard-code a username and password in the test code.  Even if I created an
account at each of these Providers solely for testing purposes, because
these credentials would become public as part of the library's tests, these
credentials may become the next "anonymous identifier" that is reused at
lots of RPs beyond testing purposes, annoying RPs, OPs and testers (when the
OPs start canceling the accounts).

It seems to me a standardized set of accounts that both OPs and RPs
understand the purpose of would mitigate this problem.  DotNetOpenId has had
a test identifier set up at
http://nerdbank.net/OPAffirmative/AffirmativeIdentity.aspx and a few other
places explictly for this purpose.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090210/0c8ec220/attachment-0002.htm>

More information about the general mailing list