<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.gmail-hoenzb
        {mso-style-name:gmail-hoenzb;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#002060;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:982270253;
        mso-list-template-ids:1120334918;}
@list l0:level1
        {mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:bullet;
        mso-level-text:o;
        mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;
        mso-ansi-font-size:10.0pt;
        font-family:"Courier New";
        mso-bidi-font-family:"Times New Roman";}
@list l0:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2 lfo2
        {mso-level-start-at:0;
        mso-level-number-format:arabic;
        mso-level-numbering:continue;
        mso-level-text:"%2\.";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:0in;
        text-indent:0in;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#002060">Thanks for this detailed report, Filip!  Roland, I think 2-5 are code bugs (possibly all the same bug).  Responses are inline below…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#002060">                                                       -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="color:#002060"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<p class="MsoNormal"><b>From:</b> Filip [mailto:panva.ip@gmail.com] <br>
<b>Sent:</b> Thursday, December 8, 2016 8:16 AM<br>
<b>To:</b> Mike Jones <Michael.Jones@microsoft.com>; Roland Hedberg <roland@catalogix.se><br>
<b>Cc:</b> openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> Re: [Openid-specs-ab] RP Certification has launched to Pilot Phase<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hello,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">While testing for all specified test/profiles in the PDF i've encountered the following five issues for these test + response_type combinations<o:p></o:p></p>
</div>
<div>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level1 lfo1">
id_token/rp-id_token-bad-at_hash<o:p></o:p></li></ol>
<ol start="1" type="1">
<ul type="circle">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level2 lfo1">
is listed in the PDF for implicit profile, test description clearly only mentions access_token issuing response types, this test should not be listed in the PDF under implicit-id_token, since no at_hash check will be performed without access_token being present<o:p></o:p></li></ul>
</ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">At present in some cases, the RP test tool selects tests to display using coarse-grained categories like “Implicit” and “Hybrid”, even though not every
 test is applicable to every response_type.  This is particularly true of response_type=id_token, where many tests aren’t applicable.  The good news is that the submission instructions recognize these differences.  You’ll see that in Section 2.2.2 (Implicit
 Relying Party) of the Certification Submission Examples at <a href="http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf">
http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf</a>, more results are included for the “id_token+token” set than for the “id_token” set.  In particular,
</span><span style="font-family:"Courier New";color:#002060">id_token+token/rp-id_token-bad-at_hash.txt</span><span style="color:#002060"> is listed but
</span><span style="font-family:"Courier New";color:#002060">id_token/rp-id_token-bad-at_hash.txt</span><span style="color:#002060"> is not.  I’ll plan to add this example to the top-level RP testing and submission instructions at
<a href="http://openid.net/certification/rp_testing/">http://openid.net/certification/rp_testing/</a> and
<a href="http://openid.net/certification/rp_submission/">http://openid.net/certification/rp_submission/</a> as well.<o:p></o:p></span></p>
<ol start="2" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level1 lfo1">
code+id_token/rp-id_token-bad-at_hash<o:p></o:p></li></ol>
<ol start="2" type="1">
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level2 lfo2">
authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}<o:p></o:p></li></ol>
</ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">Roland, sounds like a code bug to me. ;-)<o:p></o:p></span></p>
<ol start="3" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level1 lfo2">
code+token/rp-id_token-bad-at_hash<o:p></o:p></li></ol>
<ol start="3" type="1">
<ol start="0" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level2 lfo2">
authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}<o:p></o:p></li></ol>
</ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">Probably the same (or a related) bug<o:p></o:p></span></p>
<ol start="4" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level1 lfo2">
code+token/rp-id_token-bad-c_hash<o:p></o:p></li></ol>
<ol start="4" type="1">
<ol start="0" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level2 lfo2">
authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}<o:p></o:p></li></ol>
</ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">Ditto<o:p></o:p></span></p>
<ol start="5" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level1 lfo2">
code+token/rp-token_endpoint-client_secret_basic<o:p></o:p></li></ol>
<ol start="5" type="1">
<ol start="0" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level2 lfo2">
authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}<o:p></o:p></li></ol>
</ol>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">Ditto</span><br clear="all">
<span style="color:#002060"><o:p></o:p></span></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Best Regards,<br>
<b>Filip Skokan</b><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Dec 8, 2016 at 12:17 PM, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">There are now complete RP certification submission instructions at
<a href="http://openid.net/certification/rp_submission/" target="_blank">http://openid.net/certification/rp_submission/</a> and updated example submissions showing RP certifications referenced from it at
<a href="http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf" target="_blank">
http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf</a>.  This means that we’re ready to accept real RP certification submissions!<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hans, Edmund, Filip, Rich (and of course Roland) – you’ve been actively testing.  I encourage you to now take the final step to submit actual RP certification applications (thereby
 testing the instructions).  Please contact me (and possibly also Roland) if you have any questions about the instructions or suggestions on how to make them better.  All other members are likewise encouraged to likewise participate in the pilot phase, during
 which RP certifications are free.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">A huge thanks to Roland and the early testers for getting us to this point – especially Hans and Edmund!<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">We’ll talk about this progress and related items on the Connect working group call in 3.75 hours…<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#888888"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#888888">                                                       -- Mike<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>