[Openid-specs-fapi] Issue #548: Proposed new FAPI1-Adv test: consistent sub from different authorisations for same client (openid/fapi)

[josephheenan]

New issue 548: Proposed new FAPI1-Adv test: consistent sub from different authorisations for same client
https://bitbucket.org/openid/fapi/issues/548/proposed-new-fapi1-adv-test-consistent-sub

Joseph Heenan:

We’ve had some reports from Brasil of banks not returning consistent ‘sub’ values \(i.e. same client/server pair gets a different sub value for each authorization\), and this is causing some issues for clients there.

The Brazil security squad have suggested that we add a test for sub consistency to the FAPI1Advanced tests - a new test that completes two authorisations with the same client and verifies that sub is the same in both cases.

This is quite similar to an existing test in the OpenID Connect tests.

As the certification tests are owned by the FAPI working group, this issue is to check the working group agrees this is a sane test and that there’s no large objections.

I am not sure how we handle rolling out the test. Traditionally we might allow a grace period of at least a month between creating the test and banks being required to pass it for certification. We would have to check with them, but I suspect Brasil would prefer we don’t offer that grace period. If anyone feels the grace period is definitely necessary please say.