Open jborgland opened 4 years ago
panva
commented
4 years ago @jborgland the tools are meant to test the behaviour of the tested service, you should not rely on its responses for cases that aren't part of the test plan for conform behaviour.
jborgland
commented
4 years ago Well, I do not rely on the format of the error response - the application handles the invalid response well. However, wouldn't it be reasonable for the test suite to actually adhere to specification? That way you would for example also get proper testing of the RPs ability to handle correct error responses - and not, as it is now, it's ability to handle an OP that doesn't adhere to the spec.
panva
commented
4 years ago However, wouldn't it be reasonable for the test suite to actually adhere to specification?
It would but it's not the core scenario of this particular test.
I'll reopen and discuss this in today's certification call, i'll check with the developers of a new tool we're developing that entails way more tests and scenarios to see if we'll include this in our new suite.
This (python) suite however is in maintenance mode and we won't be adding such behaviours.
When calling the Token Endpoint of various tests with invalid values (what an invalid value is of course depends on the test - but for example using _client_secretpost as auth method when running the _rp-token_endpoint-client_secretbasic test) an HTML error response is returned - not the JSON that is described in section 3.1.3.4 of the OIDC specification and section 5.2 of RFC 6749.