[Openid-specs-ab] Issue #195: request and request_uri negative tests (openid/certification)

Filip Skokan panva.ip at gmail.com
Thu May 11 13:27:54 UTC 2017 

Hi Roland,

it's me ;) we had this discussion together, i just put it to bitbucket
before i forget about it ;)

Best,
*Filip Skokan*

On Thu, May 11, 2017 at 3:07 PM, Roland Hedberg via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi Panva,
>
> > 10 maj 2017 kl. 22:43 skrev panva via Openid-specs-ab <
> openid-specs-ab at lists.openid.net>:
> >
> > New issue 195: request and request_uri negative tests
> > https://bitbucket.org/openid/certification/issues/195/
> request-and-request_uri-negative-tests
> >
> > panva:
> >
> > With the growing importance of signed authentication requests I believe
> the OP certification suite should be enriched with the following negative
> tests to check the OP is conform with Section 6 of Core 1.0 for both
> request and request_uri cases.
> >
> > **OP-request(_uri)-supersede**
> > **Description:** Make an authentication request with state parameter
> passed using OAuth 2.0 request syntax as well as part of the JWT request
> object. Verify the returned state parameter is the one from JWT request
> object.
> > **Info:** When both are present, use Request Object parameter values.
>
> :-) interestingly enough we had exactly this discussion at EIC this week.
>
> > Furthermore we should test the OP rejects requests where response_type
> and client_id is mismatched between the OAuth2.0 request syntax and Request
> Object. Can't think of a way to do this which ensures that this specific
> assertion is tested. Ideas?
> > **OP-request-response_type-mismatch**
> > **OP-request-client_id-mismatch**
>
> I’ll think about it.
> Can definitely do tests on mismatch between specific call parameters and
> the same parameter in the request object.
>
> > There is a number of **OP-request_uri-\*** tests which are missing in
> **OP-request-\***
>
> Just added those to my local repo.
>
> — Roland
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170511/c447bd8e/attachment.html>

More information about the Openid-specs-ab mailing list