[Openid-specs-fapi] Issue #490: Request for suggestions for tests for FAPI2-Baseline RP/client testing (openid/fapi)

Tue Apr 5 18:56:36 UTC 2022

New issue 490: Request for suggestions for tests for FAPI2-Baseline RP/client testing
https://bitbucket.org/openid/fapi/issues/490/request-for-suggestions-for-tests-for

Joseph Heenan:

The set of certification tests we’ve identified for FAPI2-Baseline RP testing seems very short. Partly this feels okay as part of the ethos of FAPI2 was to simplify things for clients, but I’m worried the certification team might’ve missed something.

The tests we currently have or plan to do are:

1. General happy flow tests \(i.e. all requests from client are fully verified, and AS responds with good responses\)
2. Variant of happy flow that returns id\_token that has the aud claim as a single entry array \(this is a test from the FAPI1-Adv tests, and though I can’t recall the history it still seems applicable\)
3. Negative test that missed out `iss` from the authorization endpoint response and expects the client to abort / NOT call the token endpoint
4. Negative test as per '3' but returning an incorrect value for `iss`
5. Probably something that requires the client to demonstrate it can correctly handle refresh token rotation

‌

Here’s a list of the other things we tested in FAPI1-Adv but don’t seem applicable to FAPI2 and hence we don’t plan to test \(mentioned in case anyone can see a reason why these are applicable\)

1. Tests for invalid s\_hash \(not mentioned in FAPI2\)
2. Tests for encrypted id\_tokens \(id tokens are only returned in backchannel in FAPI2 so no reason to encrypt\)
3. Tests that return no/extra scopes in the token endpoint response \(there’s no relevant clauses in FAPI2\)
4. Tests that returned bad nonces/states \(there’s no requirement for the client to use state nor to use nonce in FAPI2\)
5. Tests that returned bad id\_tokens \(invalid signatures/expired/missing required fields/etc\) and expected the client to stop \(there’s no requirement for the client to validate the id\_token in FAPI2 as it’s returned in the backchannel\)

‌