<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt">>But as far as OpenID is concerned a test-suite would<br>>be even more useful, I think.<br><br>I really agree with this.<br><br>A lot of developers implementing currently use real-world testing against a near-reference service like myopenid.com, but this disagrees with best development practice in developing a library which can be tested with "mocked" (i.e. faked/pre-defined) inputs.<br><br>So I'd say the best method of reference testing is have actual reference HTTP requests/responses of each OpenID process documented somewhere which can then be used to build an acceptance testing suite using whichever testing package is available. This is actually a task I'm facing at the moment - I will not be releasing OpenID For PHP as stable until a complete acceptance test suite is in place to verify
it continually.<br><br>Example: Tests in JUnit for Java, PHPUnit for PHP, rspec for Ruby, etc. all using the exact same reference data? Pretty useful IMO.<br><br>At the moment most available libraries (perhaps those using Java/Ruby libs have seen differently?) only have a few examples which means there's no actual test suite to detect issues a development change might introduce by accident. It also has the side-effect to some developers mistrusting them - an untested library is almost a dirty word to some people.<br><br>Paddy<br><div> </div><span style="color: rgb(0, 0, 191);"><font style="font-family: times new roman,new york,times,serif;" size="3"><span style="font-weight: bold;">Pádraic Brady<br><br></span></font><span style="font-style: italic;"><font style="font-family: times new roman,new york,times,serif;" size="3"><a rel="nofollow" target="_blank" href="http://blog.astrumfutura.com">http://blog.astrumfutura.com</a><br><a rel="nofollow"
target="_blank" href="http://www.patternsforphp.com">http://www.patternsforphp.com</a><br><a rel="nofollow" target="_blank" href="http://www.openideurope.eu/">OpenID Europe Foundation Member-Subscriber</a><br></font></span></span><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">----- Original Message ----<br>From: Jack <jack@jackpot.uk.net><br>To: OpenID List <general@openid.net><br>Sent: Monday, October 1, 2007 5:33:55 PM<br>Subject: Re: [OpenID] ANN: OpenID4Java 0.9.4 - OpenID draft 12 and AX draft 7 support<br><br><div>Hans Granqvist wrote:<br>> It would be quite useful if there was an official OpenID reference <br>> implementation, both RP and OP. Without a reference implemen- tation,<br>> a standard probably should not be considered final.<br>> <br>> Ref. implementations are of enormous value for
standards adoption. <br>> Think for example where the Java servlets standard would have been <br>> without Apache Tomcat.<br><br>Somewhere closer to Jetty, perhaps? Tomcat is and always has been rotten<br>code; and it has suffered bloat, so that it isn't any longer just a<br>servlet implementation - it's halfway to J2EE. There's nothing about<br>JNDI in the servlet spec, for example.<br><br>Actually, I agree. But as far as OpenID is concerned a test-suite would<br>be even more useful, I think.<br><br>A reference implementation of an OP would allow a developer to construct<br>an RP that had a fair chance of being compliant; an OP needs to accept<br>any standard-compliant requests from an RP. But what would a reference<br>implementation of a RP do? To comply with the standards, you need to<br>support RPs that vary quite significantly in what they will ask for. So<br>a reference RP needs to be configurable to issue 1.0, 1.1, and 2.0<br>requests, as
well as requests for extensions, unencrypted requests and<br>requests with no association.<br><br>I've been thinking of trying to construct a testing engine that could be<br>put on a public website, but I suspect it will present significant<br>problems. At the least, to construct an automated test, you need to be<br>able to reliably scrape login screens. Perhaps, if the tester can input<br>some scraping hints, that might make it easier.<br><br>Is anyone working on a test engine that could be used to validate an<br>arbitrary RP or an OP, without getting involved in collusion? At the<br>moment, I'm testing using debug lines, but my tests are critically<br>dependent on my own understanding of the specs, which is evidently<br>deficient. A public test-suite would be open to critical appraisal, and<br>so would make for a much more robust and well-understood spec.<br><br>-- <br>Jack Cleaver.<br>_______________________________________________<br>general mailing
list<br>general@openid.net<br><a target="_blank" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><br></div></div><br></div></div><br>
<hr size=1>Boardwalk for $500? In 2007? Ha! <br><a href="http://us.rd.yahoo.com/evt=48223/*http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow">Play Monopoly Here and Now</a> (it's updated for today's economy) at Yahoo! Games.</body></html>