FAPI certification conformance profile definitions needed

Issue #224 wontfix
Michael Jones created an issue

There are currently not specifications of the FAPI certification conformance profiles separate from the certification code itself. By comparison, the OpenID Connect certification profiles were specified by the working group separately from the code implementing them. See https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.docx and https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf. (Yes, the Connect ones could be more complete.)

Having profile definitions that are independent of the code helps both the working group and testers.

Note that Joseph wrote some notes on what is and isn’t currently tested at https://gitlab.com/openid/conformance-suite/wikis/OP-FAPI-RW-Test-Status .

Comments (6)

  1. Nat Sakimura

    There are currently not specifications of the FAPI certification conformance profiles separate from the certification code itself. By comparison, the OpenID Connect certification profiles were specified by the working group separately from the code implementing them. See https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.docx and https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf. (Yes, the Connect ones could be more complete.)

    Having profile definitions that are independent of the code helps both the working group and testers.

    Note that Joseph wrote some notes on what is and isn’t currently tested at https://gitlab.com/openid/conformance-suite/wikis/OP-FAPI-RW-Test-Status .

  2. Joseph Heenan

    I’m not sure either.

    The document Mike refers to does two things:

    1. Requires implementations (for certification) to implement things that are not mandatory in the specs
    2. Documents what is tested

    “1” is, hopefully, not applicable to FAPI-RW 1.0 final, as we’ve tried to make sure the spec is comprehensive.

    “2” is, in my opinion, better covered in the suite itself, trying to maintain it as a separate document is much harder and often means the code and the document don’t actually agree, as we saw with the OIDC one. The frontend of the conformance suite already presents much or all of the information.

  3. Log in to comment