<div dir="ltr">we're in the process of "dockerizing" the test suite so you'd be able to run it locally or in Travis CI and make it an all-inclusive part of the pipeline without stressing the certification server itself, see:<div><a href="https://github.com/zmartzone/oidctest/tree/travis-ci-squash/docker">https://github.com/zmartzone/oidctest/tree/travis-ci-squash/docker</a></div><div>FWIW: the actual certification would still need to happen at those servers though<div><br></div><div>Hans.</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 3, 2017 at 4:46 PM, Dominick Baier via Openid-specs-ab <span dir="ltr"><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><span class=""><div id="m_4077039612025250477bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">> Incidentally, one of the cool things about how we implemented these tests in AppAuth, is that we actually <b>built them into our continuous-integration testing pipeline</b>. </div><div id="m_4077039612025250477bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div></span><div id="m_4077039612025250477bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">I thought about this too - but I actually didn’t want to produce load all the time I am doing a check-in into the repo. I added a test runner to the source code, so anyone can manually start the tests when needed.</div> <br> <div id="m_4077039612025250477bloop_sign_1493822708417135872" class="m_4077039612025250477bloop_sign"><div><br></div><div>-------</div><div>Dominick Baier</div></div><div><div class="h5"> <br><p class="m_4077039612025250477airmail_on">On 1. May 2017 at 18:55:08, William Denniss via Openid-specs-ab (<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>) wrote:</p> </div></div><blockquote type="cite" class="m_4077039612025250477clean_bq"><span><div><div></div><div><div><div class="h5">
<div dir="ltr">
<div>Sorry we didn't get a chance to talk in Chicago on this topic
Mike, my trip was all too brief. I'll be around this week though,
hopefully we can discuss this with the relevant
parties.<br></div>
<div><br></div>
<div>As of yesterday, AppAuth for iOS and macOS is now <a href="https://github.com/openid/AppAuth-iOS/pull/101" target="_blank">passing</a> all
but those 4 signature verification tests in the "code" profile. I'm
preparing the certification packet, once we have a final decision
on the optionality of those tests, I'm hoping to certify.</div>
<div><br></div>
<div>Incidentally, one of the cool things about how we implemented
these tests in AppAuth, is that we actually <b>built them into our
continuous-integration testing pipeline</b>. The conformance tests
run alongside our unit tests for every release, and every git push.
The certification log output is automatic too, meaning anyone can
run the certification tests and produce the same output at the
click of a button.</div>
<div><br></div>
<div>I think this is a huge value-add for the RP certification
program. Previously we only had unit tests in the library, no
end-to-end tests due to the fact we didn't have an OP with
interaction-less responses that we could use for automated testing.
The RP certification program has made this available, and by using
it, our test coverage is vastly improved.</div>
<div><br></div>
<div>Thank you Roland, Mike, the Foundation and everyone who is
working on this, it's a very valuable effort!</div>
<div><br></div>
<div>Best,</div>
<div>William</div>
<div><br></div>
<div><br></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Mar 26, 2017 at 1:29 PM, Mike
Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div class="m_4077039612025250477m_3647925707323825383WordSection1">
<p class="MsoNormal"><span style="color:#002060">One thought is
that this maybe should depend upon how the RP registers. If
it registers with support for signature algorithms, then that
support should be tested – even for response_type=code. If it
registers only with support for “alg”: “none”, then it obviously
can’t be tested then.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060">My logic is that
if the RP can check signatures, the OP provides a bad signature,
and the RP doesn’t catch it, that seems like a scenario what
shouldn’t pass certification. Let’s talk about this in person
in Chicago this week. I’d love to hear what others think
about this as well.</span></p>
<p class="MsoNormal"><span style="color:#002060"> </span></p>
<p class="MsoNormal"><span style="color:#002060"> <wbr>
-- Mike</span></p>
<p class="MsoNormal"><a name="m_4077039612025250477_m_3647925707323825383__MailEndCompose" id="m_4077039612025250477m_3647925707323825383__MailEndCompose"><span style="color:#002060"> </span></a></p>
<p class="MsoNormal"><b>From:</b> Openid-specs-ab [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounce<wbr>s@lists.openid.net</a>] <b>On
Behalf Of</b> William Denniss via Openid-specs-ab<br>
<b>Sent:</b> Sunday, March 26, 2017 11:13 AM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.n<wbr>et</a><br>
<b>Subject:</b> [Openid-specs-ab] RP Tests: ID Token signature
validation for code flow</p>
<div>
<div class="m_4077039612025250477h5">
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">Regarding the <a href="https://rp.certification.openid.net:8080/list?profile=C" target="_blank">'code' response type tests</a>, my understanding is that
it's not necessary to validate the ID Token signature as it was
obtained via a HTTPS connection to the OP.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">This test follows that logic:</p>
<div>
<p class="MsoNormal">rp-id_token-sig-none</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">However, these 4 tests assume signature
validation for the code flow:</p>
</div>
<div>
<p class="MsoNormal">
rp-id_token-kid-absent-single-<wbr>jwks<br>
rp-id_token-kid-absent-multipl<wbr>e-jwks<br>
rp-id_token-bad-sig-rs256<br>
rp-id_token-sig-rs256</p>
</div>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Can they be made optional for the 'code'
response type tests?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br></div></div></div>
______________________________<wbr>_________________
<br>Openid-specs-ab mailing list
<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.<wbr>net</a>
<br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a>
<br></div></div></span></blockquote></div>
<br>______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.<wbr>net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div style="font-size:small"><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank">hans.zandbelt@zmartzone.eu</a></div><div style="font-size:small">ZmartZone IAM - <a href="http://www.zmartzone.eu" target="_blank">www.zmartzone.eu</a><br></div></div></div></div></div></div>
</div>