Required certification behaviour for request and request_uri parameters
Issue #1167
resolved
I’m unclear how to interpret this section of https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf :
In particular what “no err” means, given this text in the standard:
Support for the
requestparameter is OPTIONAL. Therequest_parameter_supportedDiscovery result indicates whether the OP supports this parameter. Should an OP not support this parameter and an RP uses it, the OP MUST return therequest_not_supportederror.
The possible interpretations (for a server that doesn’t support request objects) seem to be:
- The server can ignore anything in the request object and continue with the request
- The server must return an error if it’s not going to process the request object
The current certification requests appear to allow ‘1' for this case, but I’m not sure why. It appears to directly conflict with the text in the standard. I’m not clear what “no err” in the certification profile was intended to mean though.
It seems that in the wild some currently certified implementations do follow '1'.
Comments (3)
-
reporter
-
reporter
Extra text was added to test descriptions here: https://gitlab.com/openid/conformance-suite/-/merge_requests/908 and that was made live this morning.
-
- changed status to resolved
This is done in the Java certification suite
- Log in to comment
This was discussed on today’s call and it was agreed that the java tests should follow what the specification says, and this will mean some existing certified implementations (that do not follow the spec and ignore the request/request uri parameter) will fail.