[Openid-specs-ab] RP Certification has launched to Pilot Phase

Mike Jones Michael.Jones at microsoft.com
Sat Dec 10 01:34:02 UTC 2016


Fixed.  Thanks again, Filip!

From: Mike Jones
Sent: Thursday, December 08, 2016 10:58 AM
To: Filip
Cc: Roland Hedberg; openid-specs-ab at lists.openid.net
Subject: RE: [Openid-specs-ab] RP Certification has launched to Pilot Phase

That one’s my bug then.  I’ll fix it (and any other inconsistencies you may point out).

                                                       Thanks again,
                                                       -- Mike

From: Filip [mailto:panva.ip at gmail.com]
Sent: Thursday, December 8, 2016 10:52 AM
To: Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
Cc: Roland Hedberg <roland at catalogix.se<mailto:roland at catalogix.se>>; openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] RP Certification has launched to Pilot Phase

Ad #1) I did recognize correctly the test is not meant to be tested from the RP test frontend (in description), but actually found it in the PDF, hence that is what i've reported.

id_token/rp-id_token-bad-at_hash.txt is present in section 2.2.2, Implicit Relying Party, page 18

Best,
Filip Skokan

On Thu, Dec 8, 2016 at 7:45 PM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
Thanks for this detailed report, Filip!  Roland, I think 2-5 are code bugs (possibly all the same bug).  Responses are inline below…

                                                       -- Mike

From: Filip [mailto:panva.ip at gmail.com<mailto:panva.ip at gmail.com>]
Sent: Thursday, December 8, 2016 8:16 AM
To: Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>; Roland Hedberg <roland at catalogix.se<mailto:roland at catalogix.se>>
Cc: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] RP Certification has launched to Pilot Phase

Hello,

While testing for all specified test/profiles in the PDF i've encountered the following five issues for these test + response_type combinations

  1.  id_token/rp-id_token-bad-at_hash

     *   is listed in the PDF for implicit profile, test description clearly only mentions access_token issuing response types, this test should not be listed in the PDF under implicit-id_token, since no at_hash check will be performed without access_token being present
At present in some cases, the RP test tool selects tests to display using coarse-grained categories like “Implicit” and “Hybrid”, even though not every test is applicable to every response_type.  This is particularly true of response_type=id_token, where many tests aren’t applicable.  The good news is that the submission instructions recognize these differences.  You’ll see that in Section 2.2.2 (Implicit Relying Party) of the Certification Submission Examples at http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf, more results are included for the “id_token+token” set than for the “id_token” set.  In particular, id_token+token/rp-id_token-bad-at_hash.txt is listed but id_token/rp-id_token-bad-at_hash.txt is not.  I’ll plan to add this example to the top-level RP testing and submission instructions at http://openid.net/certification/rp_testing/ and http://openid.net/certification/rp_submission/ as well.

  1.  code+id_token/rp-id_token-bad-at_hash

     *   authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}
Roland, sounds like a code bug to me. ;-)

  1.  code+token/rp-id_token-bad-at_hash

     *   authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}
Probably the same (or a related) bug

  1.  code+token/rp-id_token-bad-c_hash

     *   authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}
Ditto

  1.  code+token/rp-token_endpoint-client_secret_basic

     *   authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}
Ditto
Best Regards,
Filip Skokan

On Thu, Dec 8, 2016 at 12:17 PM, Mike Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
There are now complete RP certification submission instructions at http://openid.net/certification/rp_submission/ and updated example submissions showing RP certifications referenced from it at http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf.  This means that we’re ready to accept real RP certification submissions!

Hans, Edmund, Filip, Rich (and of course Roland) – you’ve been actively testing.  I encourage you to now take the final step to submit actual RP certification applications (thereby testing the instructions).  Please contact me (and possibly also Roland) if you have any questions about the instructions or suggestions on how to make them better.  All other members are likewise encouraged to likewise participate in the pilot phase, during which RP certifications are free.

A huge thanks to Roland and the early testers for getting us to this point – especially Hans and Edmund!

We’ll talk about this progress and related items on the Connect working group call in 3.75 hours…

                                                       -- Mike

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161210/f67e8beb/attachment-0001.html>


More information about the Openid-specs-ab mailing list