[Openid-specs-ab] Issue #193: important tests missing (openid/certification)

panva issues-reply at bitbucket.org
Thu Feb 16 12:51:09 UTC 2017


New issue 193: important tests missing
https://bitbucket.org/openid/certification/issues/193/important-tests-missing

panva:

I found myself fixing a bug in my RP library yesterday that lead to me discovering I am missing important assertions for ID Token claims.

I believe implicit and hybrid tests that test at_hash and c_hash values should be accompanied by tests that verify the RP library fails to validate a token that is completely missing these claims.

proposed tests:

**rp-id_token-missing-at_hash**  
**Description**: Make an authentication request using response_type='id_token token' for Implicit Flow or response_type='code id_token token' for Hybrid Flow. Verify the 'at_hash' presence in the returned ID Token.  
**Info**: Identify missing 'at_hash' value and reject the ID Token.

**rp-id_token-missing-c_hash**  
**Description**: Retrieve Authorization Code and ID Token from the Authorization Endpoint, using Hybrid Flow. Verify the c_hash presence in the returned ID token.  
**Info**: Identify missing 'c_hash' value and reject the ID Token.




More information about the Openid-specs-ab mailing list