<div dir="ltr"><div dir="ltr"><div>My 2 cents, as a member of the certification team:</div><div><br></div><div>Adding OP-redirect_uri-Missing for static registrations means that the OP tester himself would have to indicate in the configuration whether or not he registered multiple redirect URIs for the test suite and as such whether or not he actually wants to run this test. This also means that implementations can certify regardless of OP-redirect_uri-Missing being included in the results [1].</div><div><br></div><div><div><div>The large number of sites not doing dynamic client registration would still run all of the other (more useful...[2]) tests which are actually required for certification.<br></div><br class="gmail-Apple-interchange-newline"></div></div><div>As Mike suggested, feel free to add an enhancement request at: <span style="color:rgb(0,32,96)"> </span><a href="https://github.com/openid-certification/oidctest/issues" rel="noreferrer" target="_blank">https://github.com/openid-certification/oidctest/issues</a> [3]<span style="color:rgb(0,32,96)">.</span></div><div><br></div><div>Hans.<br><br>[1]</div><div>Certification experience learned that 90% of the testers would not turn on this test because they either don't know enough about it or don't care because they just want to pass with minimal effort. This test would be for the 10% who cares and e.g. wants to include it in their continuous integration testing.<br><div class="gmail_quote"><div dir="ltr"><br></div><div dir="ltr">[2]</div><div dir="ltr"><div>Personally I'd argue that missing redirect URI behavior is more about completeness of spec implementation than the goal of the certification program: improving interoperability and security. Also: the vast majority of Clients out there uses a single redirect URI.<br></div><br class="gmail-Apple-interchange-newline"></div><div dir="ltr">[3]</div><div>With the addition of form_post tests, the test tool also started to use multiple redirect URIs so we could look into automatically enabling OP-redirect_uri-Missing for OPs that use static registration and that have enabled form_post testing the configuration</div><div><br></div><div dir="ltr">On Sat, Sep 15, 2018 at 1:48 AM Tom Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Are you at.all concerned that requiring dynamic will exclude a large number of sites that have no interest in implementation of this unpopular option?<br><br><div>thx ..Tom (mobile)</div></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Sep 14, 2018, 4:30 PM Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-7450170869800165776m_3770957031551039433WordSection1">
<p class="MsoNormal"><span style="color:rgb(0,32,96)">The tests were chosen precisely by the working group looking at interoperability and security requirements for implementations. The original set of test profile definitions at</span>
<span style="color:rgb(0,32,96)"><a href="http://openid.net/wordpress-content/uploads/2015/03/OpenID-Connect-Conformance-Profiles.pdf" rel="noreferrer" target="_blank">http://openid.net/wordpress-content/uploads/2015/03/OpenID-Connect-Conformance-Profiles.pdf</a> were developed by the working group
with these goals and new versions have continued these goal while adding tests and profiles, including through the current profile definitions at
<a href="https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf" rel="noreferrer" target="_blank">
https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf</a>.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)">This isn’t a static process. Indeed session management, back-channel logout, and front-channel logout profile definitions will be circulated to the working group for review shortly as a result of discussions
at the in-person certification engineering meeting this week in London.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)">Yes, it’s always the case that more tests can be added to help prevent the possibilities of additional interop and security issues. The certification committee always welcomes input on how to most effectively
expand the scope of what’s being tested. Feel free to file issues about bugs and suggestions at
<a href="https://github.com/openid-certification/oidctest/issues" rel="noreferrer" target="_blank">https://github.com/openid-certification/oidctest/issues</a>.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)">That said, of course no amount of testing can guarantee that security bugs aren’t present. But we do try to rule out the likely ones!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b>From:</b> n-sakimura <<a href="mailto:n-sakimura@nri.co.jp" rel="noreferrer" target="_blank">n-sakimura@nri.co.jp</a>> <br>
<b>Sent:</b> Thursday, September 13, 2018 11:08 PM<br>
<b>To:</b> Artifact Binding/Connect Working Group <<a href="mailto:openid-specs-ab@lists.openid.net" rel="noreferrer" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Cc:</b> Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" rel="noreferrer" target="_blank">Michael.Jones@microsoft.com</a>><br>
<b>Subject:</b> RE: [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">I see, so these tests are not organized according to the security requirements of the implementations but according to the test environment logistics…<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">That makes me think that just having Basic certification is not enough from a security reviewer’s point of view.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif">Nat<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Arial,sans-serif"><u></u> <u></u></span></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b>From:</b> Openid-specs-ab <<a href="mailto:openid-specs-ab-bounces@lists.openid.net" rel="noreferrer" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>>
<b>On Behalf Of </b>Mike Jones via Openid-specs-ab<br>
<b>Sent:</b> Thursday, September 13, 2018 5:39 AM<br>
<b>To:</b> Artifact Binding/Connect Working Group <<a href="mailto:openid-specs-ab@lists.openid.net" rel="noreferrer" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Cc:</b> Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" rel="noreferrer" target="_blank">Michael.Jones@microsoft.com</a>><br>
<b>Subject:</b> Re: [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)">It’s in Dynamic because it’s straightforward to test when dynamic client registration is supported. When it is, the test tool can register multiple redirect_uri values. When dynamic client registration isn’t
supported, the client typically only has a single redirect_uri value.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)">Yes, it’s relevant all the time, but testing it isn’t really practical otherwise.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b>From:</b> Openid-specs-ab <<a href="mailto:openid-specs-ab-bounces@lists.openid.net" rel="noreferrer" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>>
<b>On Behalf Of </b>Nat Sakimura via Openid-specs-ab<br>
<b>Sent:</b> Thursday, August 30, 2018 11:51 PM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" rel="noreferrer" target="_blank">openid-specs-ab@lists.openid.net</a> Ab <<a href="mailto:openid-specs-ab@lists.openid.net" rel="noreferrer" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Cc:</b> Nat Sakimura <<a href="mailto:sakimura@gmail.com" rel="noreferrer" target="_blank">sakimura@gmail.com</a>><br>
<b>Subject:</b> [Openid-specs-ab] Certification question: 'OP-redirect_uri-Missing' only in Dynamic?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">Hi<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I just started to look at the conformance profile 3.0 [1]. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">[1] <a href="http://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf" rel="noreferrer" target="_blank">
http://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf</a> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">There is a test 'OP-redirect_uri-Missing' which tests whether the OP Reject request without redirect_uri when multiple registered. It is only required in the Dynamic profile and not in Basic etc. Is there any particular reason for this?
I think this test is also relevant to Basic etc. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Best regards, <br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<p class="MsoNormal">Nat Sakimura (=nat)<u></u><u></u></p>
<div>
<p class="MsoNormal">Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" rel="noreferrer" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" rel="noreferrer" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div style="font-size:small"><a href="mailto:hans.zandbelt@zmartzone.eu" target="_blank">hans.zandbelt@zmartzone.eu</a></div><div style="font-size:small">ZmartZone IAM - <a href="http://www.zmartzone.eu" target="_blank">www.zmartzone.eu</a><br></div></div></div></div></div></div></div></div></div>