Difference between revisions of "I5:FeatureTest-OpenID Relying Party validates the openid.return to in the response"
From OSIS Open Source Identity Systems
| Line 16: | Line 16: | ||
# Enter http://test-id.org/RP/VerifyReturnTo.aspx into the OpenID login field of the page. | # Enter http://test-id.org/RP/VerifyReturnTo.aspx into the OpenID login field of the page. | ||
# Once you are redirected to the OP you can select a kind of return_to tampering technique to apply | # Once you are redirected to the OP you can select a kind of return_to tampering technique to apply | ||
| − | ## There are | + | ## There are 6 sub tests. Your RP MUST detect and reject all 6 types of tampering attacks. |
| − | + | ||
# Failure would be being allowed access to the account or being able to create an account. | # Failure would be being allowed access to the account or being able to create an account. | ||
# Set outcome in the results page: | # Set outcome in the results page: | ||
Latest revision as of 23:43, 16 April 2009
{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|FeatureTest-OpenID Relying Party validates the openid.return to in the response}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:OpenID Relying Party validates the openid.return to in the response|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||
| {{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} | {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}} list help [[Special:Call/DT Article copy,cat=FeatureTest,from={{#var:page}},namespace=I5|copy]] [[Special:Call/DT Articles list XML,type=FeatureTest,title={{#var:page}},namespace=I5|as XML]] edit |
| {{#if:|Feature Test |Feature Test }} | OpenID Relying Party validates the openid.return to in the response |
| Test Type | bgcolor={{{color}}}}}|OpenID Authentication |
| Identifier | bgcolor={{{color}}}}}|FTR-orp-sec-3 |
| Description | bgcolor={{{color}}}}}|Tests OpenID Relying Party's validation of the openid.return to in the response |
| Role tested | bgcolor={{{color}}}}}|OpenID Identity Relying Party |
| Known Successful Reference Solution(s) | bgcolor={{{color}}}}}|{{ #if: JanRain PHP | I5:JanRain PHP}}{{ #if: Plaxo Signin | I5:Plaxo Signin}} {{ #if: | }} {{ #if: | }} |
| Success Criteria | bgcolor={{{color}}}}}|The RP treats the http: and https: verions of the URI as separate openID |
| Failure Criteria | bgcolor={{{color}}}}}|The RP allows both http: and https: forms |
Features Proven
{{#dpl:debug=1
|resultsheader=\n
|noresultsheader= {|\n|bgcolor=#eeeeee|No matching Feature found.\n|}\n
|category=Feature
|namespace=I5
|linksto=I5:FeatureTest-OpenID Relying Party validates the openid.return to in the response
|nottitlematch = Feature.edit
|include={Feature}.viewfromtest
|includematch=/FeatureTest-OpenID Relying Party validates the openid.return to in the response/s
|table=class=sortable,-,Feature,feature_type,solution_role
}}
Instructions
- Open the result page for your solution and this test.
- Open the OpenID login page for your relying party.
- Enter http://test-id.org/RP/VerifyReturnTo.aspx into the OpenID login field of the page.
- Once you are redirected to the OP you can select a kind of return_to tampering technique to apply
- There are 6 sub tests. Your RP MUST detect and reject all 6 types of tampering attacks.
- Failure would be being allowed access to the account or being able to create an account.
- Set outcome in the results page:
- If the success criteria was met, set the outcome to "Works".
- If the test failed, set the outcome to "Failed" and enter information about the failure in the Notes section.
- If other issues occurred set the result to "Issues" and describe them in the Notes section.
- Add either four tilde ~~~~ signs or a text name into the "Tested by" parameter.
- Update the Date Tested, Browser, and Operating System lines of the results page.
