<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hi all,<br id="lineBreakAtBeginningOfMessage"><div><br><blockquote type="cite"><div>On 12 Jan 2024, at 05:20, George Fletcher via Openid-specs-ab <openid-specs-ab@lists.openid.net> wrote:</div><div><div dir="ltr"><div dir="ltr"><div><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">OpenID Connect - initial authorize call</span></div></li><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: circle; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Spec says authorization services must support a POST to the /authorization endpoint</span></div></li><li dir="ltr" style="list-style-type: circle; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Certification suite does not test for POST to the endpoint</span></div></li><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: square; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">3.1.2.1 Authentication Request</span></div></li><li dir="ltr" style="list-style-type: square; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">3.2.2.1 Authorization Request</span></div></li></ul><li dir="ltr" style="list-style-type: circle; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">HL7 FHIR spec also adopted the requirement to support POST</span></div></li><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type: square; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">This is now federal law in the US - </span></div></li><li dir="ltr" style="list-style-type: square; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Any AS who wants to support MUST support the POST HTTP Method</span></div></li><li dir="ltr" style="list-style-type: square; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><a href="https://urldefense.com/v3/__https://hl7.org/fhir/smart-app-launch/app-launch.html*request-4__;Iw!!FrPt2g6CO4Wadw!Oegf08haUVnG23qsEk0bkGXfpZvQ0nSbi85Rf7UT9QBSq60xON6OOETDXVIYfoZUBohzy4_qp3UbUMqUtWsdnA$" target="_blank" style="text-decoration-line:none"><span style="font-size:11pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://hl7.org/fhir/smart-app-launch/app-launch.html#request-4</span></a></div></li><li dir="ltr" style="list-style-type: square; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><a href="https://urldefense.com/v3/__https://www.healthit.gov/topic/laws-regulation-and-policy/health-data-technology-and-interoperability-certification-program__;!!FrPt2g6CO4Wadw!Oegf08haUVnG23qsEk0bkGXfpZvQ0nSbi85Rf7UT9QBSq60xON6OOETDXVIYfoZUBohzy4_qp3UbUMrCE0RC-A$" target="_blank" style="text-decoration-line:none"><span style="font-size:11pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://www.healthit.gov/topic/laws-regulation-and-policy/health-data-technology-and-interoperability-certification-program</span></a></div></li><li dir="ltr" style="list-style-type: square; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><a href="https://urldefense.com/v3/__https://www.federalregister.gov/documents/2024/01/09/2023-28857/health-data-technology-and-interoperability-certification-program-updates-algorithm-transparency-and__;!!FrPt2g6CO4Wadw!Oegf08haUVnG23qsEk0bkGXfpZvQ0nSbi85Rf7UT9QBSq60xON6OOETDXVIYfoZUBohzy4_qp3UbUMotD7Z6ag$" target="_blank" style="text-decoration-line:none"><span style="font-size:11pt;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://www.federalregister.gov/documents/2024/01/09/2023-28857/health-data-technology-and-interoperability-certification-program-updates-algorithm-transparency-and</span></a></div></li></ul><li dir="ltr" style="list-style-type: circle; font-size: 11pt; font-family: Arial, sans-serif; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Short term action - add a test for this to the certification suite</span></div></li></ul></ul></div></div></div></div></blockquote><div><br></div></div>Aaron opened an issue here (thanks!):<div><br></div><div><a href="https://gitlab.com/openid/conformance-suite/-/issues/1293">https://gitlab.com/openid/conformance-suite/-/issues/1293</a><br></div><div><br></div><div>However it would be helpful if the working group can be explicit about which certification profile(s) they want this test added to, if any. My initial guess might be “basic”, “implicit” and “hybrid.</div><div><br></div><div>(The certification profiles are defined here: <a href="https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf">https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf</a> )</div><div><br></div><div><br></div><div>Thanks</div><div><br></div><div>Joseph</div><div><br></div><div></div></body></html>