[Openid-specs-ab] Minor test change to match the spec

William Denniss wdenniss at google.com
Tue Apr 14 16:42:21 UTC 2015 

Acknowledged.

Regarding the next errata, when should we start that process? It seems like
a good opportunity now, with the certification process still fresh in
everyone's minds.


On Mon, Apr 13, 2015 at 11:04 AM, Mike Jones <Michael.Jones at microsoft.com>
wrote:

>  Garyl Erickson of ForgeRock identified a place where the tests didn’t
> match the spec and Roland just adjusted the tests as a result.  I wanted to
> document this change and the reason for it for the working group.
>
>
>
> OP-nonce-NoReq-code is about supporting requests without a nonce.  The
> nonce is only needed when the ID Token is returned as a fragment.  The
> code+token flow doesn't return the nonce as a fragment.  Therefore, it
> should be legal to make a request with no nonce for code+token.  So the
> test tool had included the test OP-nonce-NoReq-code for both the code and
> code+token response types.
>
>
>
> But the spec says that a nonce is required for Hybrid flows:
> http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken
> 3.3.2.11 ID Token "Use of the nonce Claim is REQUIRED for this flow."
> Therefore Roland just removed the OP-nonce-NoReq-code test from code+token,
> because it's testing for behavior that violates the spec.  In this case
> while common sense may indicate that you don't have to send a nonce for
> code+token, the spec says that you do.
>
>
>
> In a related test, the OP-nonce-NoReq-noncode is about testing that
> implementations reject requests without a nonce.  Roland and I **did not**
> add this test for the code+token flow because doing so would break existing
> implementations that have already passed certification with this
> functionality, which matches common sense, but not the spec. ;-)  We *
> *did** add this test for the code+id_token and code+id_token+token flows
> because the nonce really is required for security reasons in these cases.
> That being said, per the rules of the test freeze, we will honor any Hybrid
> certifications that have already occurred without these tests having been
> presented by the test tool.
>
>
>
> When errata time next comes around, we should think about whether to relax
> the requirement to include a nonce in the request for the code+token flow.
> But for now, I think it’s right for our certification tests to allow either
> the logical or the specified behavior in this one case.
>
>
>
>                                                             Cheers,
>
>                                                             -- Mike
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150414/add9eeea/attachment.html>

More information about the Openid-specs-ab mailing list