<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.gmail-
{mso-style-name:gmail-;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#002060;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:254436941;
mso-list-template-ids:-652195602;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1
{mso-list-id:318189955;
mso-list-template-ids:1872650636;}
@list l1:level1
{mso-level-start-at:2;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:356807927;
mso-list-template-ids:-33549188;}
@list l2:level1
{mso-level-start-at:5;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3
{mso-list-id:443310525;
mso-list-template-ids:-1252635540;}
@list l3:level1
{mso-level-start-at:5;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:511728725;
mso-list-template-ids:-182663462;}
@list l4:level1
{mso-level-start-at:4;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5
{mso-list-id:1473136092;
mso-list-template-ids:-1323638552;}
@list l5:level1
{mso-level-start-at:2;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6
{mso-list-id:1567884497;
mso-list-template-ids:-882221740;}
@list l6:level1
{mso-level-start-at:3;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7
{mso-list-id:1608653319;
mso-list-template-ids:1372347518;}
@list l7:level1
{mso-level-start-at:3;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8
{mso-list-id:1688291579;
mso-list-template-ids:14060844;}
@list l8:level1
{mso-level-start-at:4;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9
{mso-list-id:2070154287;
mso-list-template-ids:770745378;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#002060">That one’s my bug then. I’ll fix it (and any other inconsistencies you may point out).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"> Thanks again,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="color:#002060"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<p class="MsoNormal"><b>From:</b> Filip [mailto:panva.ip@gmail.com] <br>
<b>Sent:</b> Thursday, December 8, 2016 10:52 AM<br>
<b>To:</b> Mike Jones <Michael.Jones@microsoft.com><br>
<b>Cc:</b> Roland Hedberg <roland@catalogix.se>; openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> Re: [Openid-specs-ab] RP Certification has launched to Pilot Phase<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Ad #1) I did recognize correctly the test is not meant to be tested from the RP test frontend (in description), but actually found it in the PDF, hence that is what i've reported.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">id_token/rp-id_token-bad-at_hash.txt is present in section 2.2.2, Implicit Relying Party, page 18<o:p></o:p></p>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Best,<br>
<b>Filip Skokan</b><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Dec 8, 2016 at 7:45 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">Thanks for this detailed report, Filip! Roland, I think 2-5 are code bugs (possibly all the same bug). Responses are inline below…</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060"> -- Mike</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a name="m_-6172696920100628899__MailEndCompose"><span style="color:#002060"> </span></a><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b> Filip [mailto:<a href="mailto:panva.ip@gmail.com" target="_blank">panva.ip@gmail.com</a>]
<br>
<b>Sent:</b> Thursday, December 8, 2016 8:16 AM<br>
<b>To:</b> Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>>; Roland Hedberg <<a href="mailto:roland@catalogix.se" target="_blank">roland@catalogix.se</a>><br>
<span class="gmail-"><b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">
openid-specs-ab@lists.openid.net</a></span><br>
<span class="gmail-"><b>Subject:</b> Re: [Openid-specs-ab] RP Certification has launched to Pilot Phase</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hello,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">While testing for all specified test/profiles in the PDF i've encountered the following five issues for these test + response_type combinations<o:p></o:p></p>
</div>
<div>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l9 level1 lfo1">
id_token/rp-id_token-bad-at_hash<o:p></o:p></li></ol>
<ol start="1" type="1">
<ul type="circle">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l0 level2 lfo2">
is listed in the PDF for implicit profile, test description clearly only mentions access_token issuing response types, this test should not be listed in the PDF under implicit-id_token, since no at_hash check will be performed without access_token being present<o:p></o:p></li></ul>
</ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">At present in some cases, the RP test tool selects tests to display using coarse-grained categories like “Implicit” and “Hybrid”, even though not every
test is applicable to every response_type. This is particularly true of response_type=id_token, where many tests aren’t applicable. The good news is that the submission instructions recognize these differences. You’ll see that in Section 2.2.2 (Implicit
Relying Party) of the Certification Submission Examples at <a href="http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf" target="_blank">
http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf</a>, more results are included for the “id_token+token” set than for the “id_token” set. In particular,
</span><span style="font-family:"Courier New";color:#002060">id_token+token/rp-id_token-bad-at_hash.txt</span><span style="color:#002060"> is listed but
</span><span style="font-family:"Courier New";color:#002060">id_token/rp-id_token-bad-at_hash.txt</span><span style="color:#002060"> is not. I’ll plan to add this example to the top-level RP testing and submission instructions at
<a href="http://openid.net/certification/rp_testing/" target="_blank">http://openid.net/certification/rp_testing/</a> and
<a href="http://openid.net/certification/rp_submission/" target="_blank">http://openid.net/certification/rp_submission/</a> as well.</span><o:p></o:p></p>
<ol start="2" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l1 level1 lfo3">
code+id_token/rp-id_token-bad-at_hash<o:p></o:p></li></ol>
<ol start="2" type="1">
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l5 level2 lfo4">
authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}<o:p></o:p></li></ol>
</ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">Roland, sounds like a code bug to me. ;-)</span><o:p></o:p></p>
<ol start="3" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l6 level1 lfo5">
code+token/rp-id_token-bad-at_hash<o:p></o:p></li></ol>
<ol start="3" type="1">
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l7 level2 lfo6">
authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}<o:p></o:p></li></ol>
</ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">Probably the same (or a related) bug</span><o:p></o:p></p>
<ol start="4" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l8 level1 lfo7">
code+token/rp-id_token-bad-c_hash<o:p></o:p></li></ol>
<ol start="4" type="1">
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l4 level2 lfo8">
authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}<o:p></o:p></li></ol>
</ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">Ditto</span><o:p></o:p></p>
<ol start="5" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l2 level1 lfo9">
code+token/rp-token_endpoint-client_secret_basic<o:p></o:p></li></ol>
<ol start="5" type="1">
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level2 lfo10">
authentication request is failing when response_type=code+id_token, Response {"error_description": "Wrong response_type", "error": "incorrect_behavior"}<o:p></o:p></li></ol>
</ol>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#002060">Ditto</span><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Best Regards,<br>
<b>Filip Skokan</b><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Thu, Dec 8, 2016 at 12:17 PM, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">There are now complete RP certification submission instructions at
<a href="http://openid.net/certification/rp_submission/" target="_blank">http://openid.net/certification/rp_submission/</a> and updated example submissions showing RP certifications referenced from it at
<a href="http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf" target="_blank">
http://openid.net/wordpress-content/uploads/2016/12/Certification-Submission-Examples.pdf</a>. This means that we’re ready to accept real RP certification submissions!<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hans, Edmund, Filip, Rich (and of course Roland) – you’ve been actively testing. I encourage you to now take the final step to submit actual RP certification applications (thereby
testing the instructions). Please contact me (and possibly also Roland) if you have any questions about the instructions or suggestions on how to make them better. All other members are likewise encouraged to likewise participate in the pilot phase, during
which RP certifications are free.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">A huge thanks to Roland and the early testers for getting us to this point – especially Hans and Edmund!<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">We’ll talk about this progress and related items on the Connect working group call in 3.75 hours…<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#888888"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:#888888"> -- Mike</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>