[Openid-specs-ab] RP Certification has launched to Pilot Phase

Mike Jones Michael.Jones at microsoft.com
Thu Dec 8 18:45:06 UTC 2016

Thanks for this detailed report, Filip!  Roland, I think 2-5 are code bugs (possibly all the same bug).  Responses are inline below…

                                                       -- Mike

From: Filip [mailto:panva.ip at gmail.com]
Sent: Thursday, December 8, 2016 8:16 AM
To: Mike Jones <Michael.Jones at microsoft.com>; Roland Hedberg <roland at catalogix.se>
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] RP Certification has launched to Pilot Phase


While testing for all specified test/profiles in the PDF i've encountered the following five issues for these test + response_type combinations

  1.  id_token/rp-id_token-bad-at_hash

     *   is listed in the PDF for implicit profile, test description clearly only mentions access_token issuing response types, this test should not be listed in the PDF under implicit-id_token, since no at_hash check will be performed without access_token being present
At present in some cases, the RP test tool selects tests to display using coarse-grained categories like “Implicit” and “Hybrid”, even though not every test is applicable to every response_type.  This is particularly true of response_type=id_token, where many tests aren’t applicable.  The good news is that the submission instructions recognize these differences.  You’ll see that in Section 2.2.2 (Implicit Relying Party) of the Certification Submission Examples at http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf, more results are included for the “id_token+token” set than for the “id_token” set.  In particular, id_token+token/rp-id_token-bad-at_hash.txt is listed but id_token/rp-id_token-bad-at_hash.txt is not.  I’ll plan to add this example to the top-level RP testing and submission instructions at http://openid.net/certification/rp_testing/ and http://openid.net/certification/rp_submission/ as well.

  1.  code+id_token/rp-id_token-bad-at_hash

     *   authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}
Roland, sounds like a code bug to me. ;-)

  1.  code+token/rp-id_token-bad-at_hash

     *   authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}
Probably the same (or a related) bug

  1.  code+token/rp-id_token-bad-c_hash

     *   authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}

  1.  code+token/rp-token_endpoint-client_secret_basic

     *   authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}
Best Regards,
Filip Skokan

On Thu, Dec 8, 2016 at 12:17 PM, Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
There are now complete RP certification submission instructions at http://openid.net/certification/rp_submission/ and updated example submissions showing RP certifications referenced from it at http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf.  This means that we’re ready to accept real RP certification submissions!

Hans, Edmund, Filip, Rich (and of course Roland) – you’ve been actively testing.  I encourage you to now take the final step to submit actual RP certification applications (thereby testing the instructions).  Please contact me (and possibly also Roland) if you have any questions about the instructions or suggestions on how to make them better.  All other members are likewise encouraged to likewise participate in the pilot phase, during which RP certifications are free.

A huge thanks to Roland and the early testers for getting us to this point – especially Hans and Edmund!

We’ll talk about this progress and related items on the Connect working group call in 3.75 hours…

                                                       -- Mike

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161208/5165b269/attachment-0001.html>

More information about the Openid-specs-ab mailing list