CDR Conformance Bugs

Ticket to collate bugs encountered within the Conformance Suite using the CDR profile. Some of these might (hopefully!) already be resolved as I’ve had a high latency on coming back to this. I’ll look to edit the main ticket in the short term as I add things.

The conformance suite expects the keys within the JWKS to be in a deterministic order notably that the signing key must be the first entry. When the first key is of type enc the conformance suite barfs
auth_time is not being specified as an essential claim in the request object of fapi-rw-id2 so is untested but it’s support is mandatory in CDR
offline_access scope acceptance is untested. It is not required by CDR but it’s presence is meant, at worst, to be ignored
aud for assertions are expected to be the called uri, the issuer or the token endpoint regardless of endpoint
Note: This one might already be the case but haven’t run through the permutations
scope parameters involving “Detailed” scopes must require “Basic” scopes to be present or be rejected with an undefined error probably invalid_request
Access Token’s issued must expire in no more than 10 minutes but this is not checked
expires_in within Token Response is read but does not appear to be mandatory (CDR makes this mandatory)
refresh_token_expires_at must be present within the ID Token obtained from the Token endpoint
Acceptable acr values is missing urn:cds.au:cdr:3
For sharing_duration the following values are considered invalid and perhaps should be tested:
- Not an integer
- Value larger than 31536000 (more than 1 year)
- Value <0
The sharing_expires_at claim is mandatory when a sharing duration of >0 is requested, this is currently parsed but not checked

‌

Comments (17)