OpenID Connect InteropでRPが実施すべきテスト一覧を残しておく。
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. When you issue the authorization request specify for instance scope="openid email". To verify that the OP acted on the scope specification you have to do a Userinfo request and check that there it contains email and email_verified claims.
- リクエストでscope=openid emailを指定
- UserInfoレスポンスでemail, verifiedが返ってくることを確認
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. When you issue the authorization request you must create a request object containing for instance {"claims": {"name": {"essential": True}}} . To verify that the OP acted on the claims specification you have to do a Userinfo request and check that there it contains a name claim.
- {"claims": {"name": {"essential": True}}} を含むOpenID Request Objectを指定
- UserInfoレスポンスでname属性が入っているかを確認
Use the OpenID Provider endpoint https://www.kodtest.se:8088/ and ask for the Provider information. You should get an JSON object back.
- https://www.kodtest.se:8088/をDiscoveryする
- JSONオブジェクトが返ってくることを確認
Use the principal diana@kodtest.se and try to find the OpenID provider endpoint. The result should be https://www.kodtest.se:8088/
- diana@kodtest.se を用いてDiscoveryを行う
- https://www.kodtest.se:8088/ を得られたらOK
Use http://www.kodtest.se/diana as principal and look for the OpenID Provider Endpoint. The result should be https://www.kodtest.se:8088/ .
- http://www.kodtest.se/diana を用いてDiscoveryを行う
- https://www.kodtest.se:8088/ を得られたらOK
Send a registration request type=client_associate to the registration endpoint https://localhost:8088/registration. You should get a response of the format {"client_secret": "d30bc6c78f7bff81321b2f3b8d9a1a2c88fe52b419ec32df22d78358", "client_id": "ofxGABZSnW9W", "expires_at": 1348127913}
- type=client_associateをregistration endpoint https://localhost:8088/registration に送る
- client_id, client_secretなどを含んだJSONエンドポイントが返されることを確認する
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. When you do the authorization request use the username/password combination babs/howes. The result of the succeeding Userinfo request should contain aggregated claims.
- http://www.kodtest.se:8088/ にDiscovery&Client Registration
- babs/howesを用いてログインし、UserinfoにAggregated Claimsが含まれることを確認
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. When you do the authorization request use the username/password combination upper/crust. The result of the succeeding Userinfo request should contain distributed claims.
- http://www.kodtest.se:8088/ にDiscovery&Client Registration
- upper/crustを用いてログインし、UserinfoにDistributed Claimsが含まれることを確認
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. Use response_type="id_token token" when doing the authorization request. The Username/password to use are diana/krall . A successful authentication should return a access_token together with an id_token containing a at_hash claim.
- http://www.kodtest.se:8088/ にDiscovery&Client Registration
- response_type="id_token token"のリクエストを送る
- diana/krallを用いてログインし、Access Tokenとそのハッシュ値を含むID Tokenが返されることを確認
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. Use response_type="code id_token" when doing the authorization request. The Username/password to use are diana/krall . A successful authentication should return a id_token containing a c_hash claim.
- http://www.kodtest.se:8088/ にDiscovery&Client Registration
- response_type="code id_token"のリクエストを送る
- diana/krallを用いてログインし、Authorization Codeとそのハッシュ値を含むID Tokenが返されることを確認
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. In order to do this type of authentication you need a client_secret the only way you can get it with this setup is to do a client registration. Once you have done that will have to authenticate before doing the access token request. So an authorization request with response_type="code" is necessary. The username/password use for the login is diana/krall. The response to the access token request should be a JSON structure containing among other things an access_token.
- http://www.kodtest.se:8088/ にDiscovery&Client Registration
- response_type=codeでAuthorization Code取得。
- diana/krallを用いてログインし、Basic認証にてAccess Token Requestを送る
- レスポンスが返ってくることを確認
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. In order to do this type of authentication you need a client_secret the only way you can get it with this setup is to do a client registration. Once you have done that will have to authenticate before doing the access token request. So an authorization request with response_type="code" is necessary. The username/password use for the login is diana/krall. The response to the access token request should be a JSON structure containing among other things an access_token.
- response_type=codeでAuthorization Code取得。
- diana/krallを用いてログインし、POSTリクエストにてAccess Token Requestを送る
- レスポンスが返ってくることを確認
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. When you register the client you have to publish where the OP can find your RPs key/-s. You can do this either by using 'jwk_url' or 'x509_url'. Once you have done that will have to authenticate before doing the access token request. So an authorization request with response_type="code" is necessary. The username/password use for the login is diana/krall. The response to the access token request should be a JSON structure containing among other things an access_token.
- http://www.kodtest.se:8088/ にDiscovery&Client Registration
- 登録時に'jwk_url' か 'x509_url'を指定する。
- response_type=codeでAuthorization Code取得。
- diana/krallを用いてログインし、x509_urlを用いたJWTリクエストにてAccess Token Requestを送る
- レスポンスが返ってくることを確認
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. In order to do this type of authentication you need a client_secret the only way you can get it with this setup is to do a client registration. Once you have done that will have to authenticate before doing the access token request. So an authorization request with response_type="code" is necessary. The username/password use for the login is diana/krall. The response to the access token request should be a JSON structure containing among other things an access_token.
- http://www.kodtest.se:8088/ にDiscovery&Client Registration
- response_type=codeでAuthorization Code取得。
- diana/krallを用いてログインし、client_secretを用いたJWTリクエストにてAccess Token Requestを送る
- レスポンスが返ってくることを確認
Use the OP http://www.kodtest.se:8088/ . This OP supports provider info discovery and client registration. When registering the RP register an userinfo_signed_response_alg. This will make to OP return the user info as a signed JWT as long as the algorithm are supported by the OP.
- http://www.kodtest.se:8088/ にDiscovery&Client Registration
- 登録時にuserinfo_signed_response_algを指定する
- UserInfoレスポンスがJWT形式になっていることを確認する