search

openid-certification / oidctest

THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net
Other
49 stars 15 forks source link

OP-BackChannel-Discovery and OP-FrontChannel-Discovery don't assert that OP supports back- and front-channel logout #223

Open travisspencer opened 4 years ago

travisspencer commented 4 years ago

I have an OP that doesn't support back- or front-channel logout, yet OP-BackChannel-Discovery and OP-FrontChannel-Discovery pass. Here's the salient parts of the metadata of the OP under test (as reported on the ProviderConfigurationResponse step of that tests):

{
    "backchannel_logout_session_supported": false,
    "backchannel_logout_supported": false,
    "frontchannel_logout_session_supported": false,
    "frontchannel_logout_supported": false,
...
}

Do these test pass simply because those fields are in the JSON object? Shouldn't they also assert that the values are true?

Also, there's no check for end_session_endpoint in the metadata. Shouldn't there be one?

As a point of comparison, the test OP-Session-Discovery also fails on this OP with this error:

These following required claims are missing: ['check_session_iframe', 'end_session_endpoint']

rohe commented 4 years ago

They should definitely assert that the values are true . There are tests in there for this. Don't know why they don't work.

rohe commented 4 years ago

If you only support backchannel and/or frontchannel logout you don't need to support session management. So no there should not be a check for end_session_endpoint och check_session_iframefor that matter.