[Openid-specs-ab] Proposed next set of Certification tests for OpenID Federation

Joseph Heenan joseph at authlete.com
Thu Jan 9 21:28:29 UTC 2025 

Hi all

Just to put some some of the items I mentioned during today’s working group call into writing; after a quick (and not comprehensive) review a few worries spring to mind:

I’m not convinced that Automatic registration is clearly enough defined in the specification to do some of these tests - e.g. I think there’s a lack of clarity over what servers might or might not be permitted to cache during the automatic registration, e.g. I wouldn’t expect an AS to re-verify the trust chain on every authorization endpoint call but I think there’s one test that expects that passing an invalid trust chain would reliably result in an error. I’m also not sure if the server allowed to skip some other validation steps if the client was already registered.

I think the flexibility in the spec over how to deal with the request object (if it includes the trust_chain) potentially being larger than actually works in practice is not helpful for interoperability tests (e.g. as well as permitting a normal redirect to the authorization endpoint, it allows a POST, or the use of request_uri, or PAR). 

On the 3 different deployment modes, we should make sure we’re clear which of the 3 modes we want to focus on testing initially - I’d suggest focussing on what we think we deliver the most value.

And something I’ve further reflected on since the working group call - I’m not sure that “Entity Joined to Test Federation” mode is actually necessary for some of the positive/negative tests. I suspect there’s an in-between position where the conformance suite is temporarily made a leaf (not sure if that’s the correct word) in the production federation that the entity under test is a part of. This is how we approach, e.g., OpenBanking testing that allows us to test a production bank. My gut feeling is that it’s probably important we’re able to do that kind of production testing against a production node in a real federation too, if we’re going to make sure that things actually work in that federation in production - e.g. in seems important to test client registration in that kind of way. I don’t know if there’s any Federation specific issues that might stop that working.

Thanks

Joseph




> On 1 Jan 2025, at 06:49, Michael Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> As a result of discussions with the Certification team and the Connect working group, we decided that the next steps for certifying OpenID Federation deployments and implementations would be to add tests exchanging protocol messages between the implementation being tested and federation conformance testing software at www.certification.openid.net <http://www.certification.openid.net/>.  The attached spreadsheet defines an initial set of such tests, both using Automatic Registration and Explicit Registration.  It also includes the previous set of tests, updated per feedback from Marcus Almgren, who implemented them.
>  
> As described in the (short) attached Word doc, we plan for there to be three modes of tests available for Federations:
> Deployed Single Entity Testing:  Tests the properties of an Entity deployed in a Federation in detail.  Obviously, only features used by the Entity can be tested.  All the tests we have now use this mode.
> Deployed Entire Federation Testing:  Tests the properties of an entire deployed Federation graph.  Obviously only limited information can be logged so that the log sizes for Federations with thousands of Entities do not become unwieldy. We expect this mode to be useful to Federation Operators for identifying problems in their federations.
> Entity Joined to Test Federation:  Tests the behavior an Entity within a custom federation created for certification testing purposes.  Both positive and negative tests can be run in this manner, as are tests over a broader range of inputs controlled by the certification suite.
>  
> The new “Test Modes” column in the spreadsheet indicates which combinations of the three modes tests are applicable for:  Deployed (1), Entire Fed (2), Test Fed. (3), or All.
>  
> These tests are informed by the tests developed by the Italian SPID CIE team and also by discussions with those involved in the Italian and multiple other European deployments, Australian deployments, the Connect working group, and the Certification team.  Please let us know what you’d like to see us do next!
>  
>                                                                 Happy New Year!
>                                                                 -- Mike
>  
> <OpenID Federation Conformance Features 31-Dec-24.xlsx><Certification Testing for OpenID Federation 29-Dec-24.docx>_______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> https://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250109/456ece48/attachment.htm>

More information about the Openid-specs-ab mailing list