Trying to use access code twice should result in an error (OP-I-01) - relax test success criteria

Issue #39 resolved
Michael Jones
created an issue

The working group discussed this test during the 26-Jan-15 working group call and decided that for some kinds of implementations, this may be too hard to enforce for servers - particularly distributed implementations. Two alternatives were considered:

  • Make allowing immediate reuse a warning condition rather than an error
  • Insert a time delay of 30 seconds between the first use and the second use and only say that it's an error if reuse is still permitted by the implementation after 30 seconds have elapsed

Please update the test code to do one or the other of these things.

Comments (3)

  1. OpenID Foundation repo owner

    Considering that there are implementations which does not invalidate the code, I think we need to implement the second option as well. I.e, warn after the first reuse, fail after reuse 30 secs later.

    =nat via iPhone

  2. Log in to comment