Difference between revisions of "I5:FeatureTest-OpenID Relying Party protects against association poisoning"
From OSIS Open Source Identity Systems
(New page: {{FeatureTest |name = OpenID Relying Party protects against association poisoning |testtype = OpenID Authentication |identifier = FTR-orp-sec-8 |are...) |
|||
| Line 14: | Line 14: | ||
# Open the result page for your solution and this test. | # Open the result page for your solution and this test. | ||
# Open the OpenID login page for your relying party. | # Open the OpenID login page for your relying party. | ||
| − | # Enter http://test-id. | + | # Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=1 into the OpenID login field of the page. |
| + | ## you can use the https: version of the openID above if your RP needs it. | ||
## You will not be prompted for authentication. | ## You will not be prompted for authentication. | ||
## make certain you are logged in. | ## make certain you are logged in. | ||
## Click on the the back button to return to the login. | ## Click on the the back button to return to the login. | ||
| − | # Enter http://test-id. | + | # Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=2 into the OpenID login field of the page. |
## You will not be prompted for authentication. | ## You will not be prompted for authentication. | ||
## If you are logged in this is a fail, you should have a warning from the RP | ## If you are logged in this is a fail, you should have a warning from the RP | ||
| − | # Enter http://test-id. | + | # Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=3 into the OpenID login field of the page. |
## You will not be prompted for authentication. | ## You will not be prompted for authentication. | ||
## If you are logged in this is a fail, you should have a warning from the RP | ## If you are logged in this is a fail, you should have a warning from the RP | ||
Latest revision as of 09:30, 21 April 2009
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|FeatureTest-OpenID Relying Party protects against association poisoning}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:OpenID Relying Party protects against association poisoning|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=FeatureTest,from={{#var:page}},namespace=I5|copy]] [[Special:Call/DT Articles list XML,type=FeatureTest,title={{#var:page}},namespace=I5|as XML]] edit |
| {{#if:|Feature Test |Feature Test }} | OpenID Relying Party protects against association poisoning |
| Test Type | bgcolor={{{color}}}}}|OpenID Authentication |
| Identifier | bgcolor={{{color}}}}}|FTR-orp-sec-8 |
| Description | bgcolor={{{color}}}}}|Tests OpenID Relying Party protects against association poisoning |
| Role tested | bgcolor={{{color}}}}}|OpenID Identity Relying Party |
| Known Successful Reference Solution(s) | bgcolor={{{color}}}}}|{{ #if: | [[I5:]]}}{{ #if: Plaxo Signin | I5:Plaxo Signin}} {{ #if: | }} {{ #if: | }} |
| Success Criteria | bgcolor={{{color}}}}}|The RP dosen't allow a 2nd OP to overwrite the association |
| Failure Criteria | bgcolor={{{color}}}}}|The RP allows the 2nd and third login from the poisining OP |
Features Proven
{{#dpl:debug=1
|resultsheader=\n
|noresultsheader= {|\n|bgcolor=#eeeeee|No matching Feature found.\n|}\n
|category=Feature
|namespace=I5
|linksto=I5:FeatureTest-OpenID Relying Party protects against association poisoning
|nottitlematch = Feature.edit
|include={Feature}.viewfromtest
|includematch=/FeatureTest-OpenID Relying Party protects against association poisoning/s
|table=class=sortable,-,Feature,feature_type,solution_role
}}
Instructions
- Open the result page for your solution and this test.
- Open the OpenID login page for your relying party.
- Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=1 into the OpenID login field of the page.
- you can use the https: version of the openID above if your RP needs it.
- You will not be prompted for authentication.
- make certain you are logged in.
- Click on the the back button to return to the login.
- Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=2 into the OpenID login field of the page.
- You will not be prompted for authentication.
- If you are logged in this is a fail, you should have a warning from the RP
- Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=3 into the OpenID login field of the page.
- You will not be prompted for authentication.
- If you are logged in this is a fail, you should have a warning from the RP
- If the 2nd and 3rd loggins result in warnings this is a pass.
- Set outcome in the results page:
- If the success criteria was met, set the outcome to "Works".
- If the test failed, set the outcome to "Failed" and enter information about the failure in the Notes section.
- If other issues occurred set the result to "Issues" and describe them in the Notes section.
- Add either four tilde ~~~~ signs or a text name into the "Tested by" parameter.
- Update the Date Tested, Browser, and Operating System lines of the results page.
