[Openid-specs-ab] Minor test change to match the spec

Mike Jones Michael.Jones at microsoft.com
Tue Apr 14 18:38:47 UTC 2015 

This test change doesn’t affect the required nonce behavior you’re describing, John.  For all response types, the tests still verify that when a nonce is sent, it’s returned.

The test change made is to no longer require that OPs using response_type=code+token accept requests without a nonce (which was a violation of the spec).  OPs using response_type=code are still required to accept requests without a nonce, and this is still tested for.

                                                                -- Mike

From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Tuesday, April 14, 2015 9:56 AM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net; Eve Maler
Subject: Re: [Openid-specs-ab] Minor test change to match the spec

The server always needs to honour any request from a client with nonce in it.  It is optional for the client to send nonce with the “code” response type.

The WG only decided to relax the requirement for nonce in code,  That doesn’t mean that sending and validating it is not a useful security precaution.

We backed off on nonce for code to make the basic profile simpler.

John B.

On Apr 13, 2015, at 3:04 PM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:

Garyl Erickson of ForgeRock identified a place where the tests didn’t match the spec and Roland just adjusted the tests as a result.  I wanted to document this change and the reason for it for the working group.

OP-nonce-NoReq-code is about supporting requests without a nonce.  The nonce is only needed when the ID Token is returned as a fragment.  The code+token flow doesn't return the nonce as a fragment.  Therefore, it should be legal to make a request with no nonce for code+token.  So the test tool had included the test OP-nonce-NoReq-code for both the code and code+token response types.

But the spec says that a nonce is required for Hybrid flows: http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken 3.3.2.11 ID Token "Use of the nonce Claim is REQUIRED for this flow."  Therefore Roland just removed the OP-nonce-NoReq-code test from code+token, because it's testing for behavior that violates the spec.  In this case while common sense may indicate that you don't have to send a nonce for code+token, the spec says that you do.

In a related test, the OP-nonce-NoReq-noncode is about testing that implementations reject requests without a nonce.  Roland and I *did not* add this test for the code+token flow because doing so would break existing implementations that have already passed certification with this functionality, which matches common sense, but not the spec. ;-)  We *did* add this test for the code+id_token and code+id_token+token flows because the nonce really is required for security reasons in these cases.  That being said, per the rules of the test freeze, we will honor any Hybrid certifications that have already occurred without these tests having been presented by the test tool.

When errata time next comes around, we should think about whether to relax the requirement to include a nonce in the request for the code+token flow.  But for now, I think it’s right for our certification tests to allow either the logical or the specified behavior in this one case.

                                                            Cheers,
                                                            -- Mike

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150414/11061e42/attachment.html>

More information about the Openid-specs-ab mailing list