Run all tests with a different response_mode

[CrowdHailer]

Our service, currently only supports the form_post response mode. From the form post spec

there are security implications to encoding response values in the query string and in the fragment value. Some of these concerns can be addressed by using the Form Post Response Mode.

We therefore decided to only support this response mode. Is there anywhere that says that a OP must support query/fragment responses. And if not would making this configurable be acceptable?

[panva]

I’m afraid that in order to certify for code profile you must support query, in order to certify for the implicit and hybrid profiles, you must support fragment.

[CrowdHailer]

Ok, thanks for the quick response. I guess if I must support it there is no harm in most of the tests being done with a query response mode.

[CrowdHailer]

Is it the case that every test that is checking for calls to the authz_cb simply forwards the content to the authz_post endpoint?

I was seeing this output in my browser logs

Navigated to https://op-test:60001/authz_cb
[Violation] Forced reflow while executing JavaScript took 75ms
Navigated to https://op-test:60001/authz_post

I've curl'd the response from the first endpoint and get the following.

<!DOCTYPE html>

<html>
<head>
  <title>OpenID Certification OP Test</title>
</head>
<body onload="document.forms[0].submit()">
    <form class="repost" action="authz_post" method="post">
      <input type="hidden" name="fragment" id="frag" value="x"/>
      <script type="text/javascript">
        if (window.location.hash) {
          var hash = window.location.hash.substring(1); //Puts hash in variable, and removes the # character
          document.getElementById("frag").value = hash;
        }
      </script>
    </form>
</body>
</html>

This seems to forward fragments, but not query strings?