[Openid-specs-ab] Minor test change to match the spec
William Denniss
wdenniss at google.com
Tue Apr 14 18:41:02 UTC 2015
Sounds good. Should we start listing the planned errata on a wiki or
something, so we don't miss any when the time comes?
On Tue, Apr 14, 2015 at 11:35 AM, Mike Jones <Michael.Jones at microsoft.com>
wrote:
> I believe that the working group is waiting to apply errata changes until the IETF specs in this cluster http://www.rfc-editor.org/cluster_info.php?cid=C241 and draft-ietf-appsawg-acct-uri are RFCs. Also, once Google has corrected the issue described at http://openid.net/specs/openid-connect-core-1_0.html#GoogleIss (which I expect has been done in preparation for your certification submissions), we can remove this clause through the errata process.
>
>
>
> -- Mike
>
>
>
> *From:* William Denniss [mailto:wdenniss at google.com]
> *Sent:* Tuesday, April 14, 2015 9:42 AM
> *To:* Mike Jones
> *Cc:* openid-specs-ab at lists.openid.net; Eve Maler
> *Subject:* Re: [Openid-specs-ab] Minor test change to match the spec
>
>
>
> Acknowledged.
>
>
>
> Regarding the next errata, when should we start that process? It seems
> like a good opportunity now, with the certification process still fresh in
> everyone's minds.
>
>
>
>
>
> On Mon, Apr 13, 2015 at 11:04 AM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
> Garyl Erickson of ForgeRock identified a place where the tests didn’t
> match the spec and Roland just adjusted the tests as a result. I wanted to
> document this change and the reason for it for the working group.
>
>
>
> OP-nonce-NoReq-code is about supporting requests without a nonce. The
> nonce is only needed when the ID Token is returned as a fragment. The
> code+token flow doesn't return the nonce as a fragment. Therefore, it
> should be legal to make a request with no nonce for code+token. So the
> test tool had included the test OP-nonce-NoReq-code for both the code and
> code+token response types.
>
>
>
> But the spec says that a nonce is required for Hybrid flows:
> http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken
> 3.3.2.11 ID Token "Use of the nonce Claim is REQUIRED for this flow."
> Therefore Roland just removed the OP-nonce-NoReq-code test from code+token,
> because it's testing for behavior that violates the spec. In this case
> while common sense may indicate that you don't have to send a nonce for
> code+token, the spec says that you do.
>
>
>
> In a related test, the OP-nonce-NoReq-noncode is about testing that
> implementations reject requests without a nonce. Roland and I **did not**
> add this test for the code+token flow because doing so would break existing
> implementations that have already passed certification with this
> functionality, which matches common sense, but not the spec. ;-) We *
> *did** add this test for the code+id_token and code+id_token+token flows
> because the nonce really is required for security reasons in these cases.
> That being said, per the rules of the test freeze, we will honor any Hybrid
> certifications that have already occurred without these tests having been
> presented by the test tool.
>
>
>
> When errata time next comes around, we should think about whether to relax
> the requirement to include a nonce in the request for the code+token flow.
> But for now, I think it’s right for our certification tests to allow either
> the logical or the specified behavior in this one case.
>
>
>
> Cheers,
>
> -- Mike
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150414/a397854b/attachment.html>
More information about the Openid-specs-ab
mailing list