[Openid-specs-ab] RP Certification has launched to Pilot Phase

Roland Hedberg roland at catalogix.se
Fri Dec 9 10:42:58 UTC 2016


> On 8 Dec 2016, at 17:15, Filip <panva.ip at gmail.com> wrote:
> 
> Hello,
> 
> While testing for all specified test/profiles in the PDF i've encountered the following five issues for these test + response_type combinations
> id_token/rp-id_token-bad-at_hash
> is listed in the PDF for implicit profile, test description clearly only mentions access_token issuing response types, this test should not be listed in the PDF under implicit-id_token, since no at_hash check will be performed without access_token being present

> code+id_token/rp-id_token-bad-at_hash
> authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior”}
You get at_hash'es in the id_token when an access token is return in the same response. If you have response_type=code+id_token
there is no access token returned hence no at_hash. Hence, it makes no sense running this combination.
> code+token/rp-id_token-bad-at_hash
> authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior”}
Sort of the same, if you don’t get back an id_token (which you don’t with response_type=code+token) where would the at_hash appear ?
> code+token/rp-id_token-bad-c_hash
> authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior”}
Same as previous but about c_hash instead of at_hash..

— Roland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161209/db62ccd8/attachment.html>


More information about the Openid-specs-ab mailing list