[Openid-specs-ab] Issue #195: request and request_uri negative tests (openid/certification)
panva
issues-reply at bitbucket.org
Wed May 10 20:43:04 UTC 2017
New issue 195: request and request_uri negative tests
https://bitbucket.org/openid/certification/issues/195/request-and-request_uri-negative-tests
panva:
With the growing importance of signed authentication requests I believe the OP certification suite should be enriched with the following negative tests to check the OP is conform with Section 6 of Core 1.0 for both request and request_uri cases.
**OP-request(_uri)-supersede**
**Description:** Make an authentication request with state parameter passed using OAuth 2.0 request syntax as well as part of the JWT request object. Verify the returned state parameter is the one from JWT request object.
**Info:** When both are present, use Request Object parameter values.
Furthermore we should test the OP rejects requests where response_type and client_id is mismatched between the OAuth2.0 request syntax and Request Object. Can't think of a way to do this which ensures that this specific assertion is tested. Ideas?
**OP-request-response_type-mismatch**
**OP-request-client_id-mismatch**
There is a number of **OP-request_uri-\*** tests which are missing in **OP-request-\***
More information about the Openid-specs-ab
mailing list