I5:FeatureTest-OpenID Relying Party protects against association poisoning

From OSIS Open Source Identity Systems

Jump to: navigation, search

   list help  copy  as XML  edit
Feature Test   OpenID Relying Party protects against association poisoning
Test Type   OpenID Authentication
Identifier   FTR-orp-sec-8  
Description   Tests OpenID Relying Party protects against association poisoning  
Role tested   OpenID Identity Relying Party  
Known Successful Reference Solution(s)  
I5:Plaxo Signin  
Success Criteria   The RP dosen't allow a 2nd OP to overwrite the association  
Failure Criteria   The RP allows the 2nd and third login from the poisining OP  

Features Proven

Feature feature_type solution_role
OpenID Relying Party protects against association poisoning OpenID Relying Party interop

Instructions

  1. Open the result page for your solution and this test.
  2. Open the OpenID login page for your relying party.
  3. Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=1 into the OpenID login field of the page.
    1. you can use the https: version of the openID above if your RP needs it.
    2. You will not be prompted for authentication.
    3. make certain you are logged in.
    4. Click on the the back button to return to the login.
  4. Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=2 into the OpenID login field of the page.
    1. You will not be prompted for authentication.
    2. If you are logged in this is a fail, you should have a warning from the RP
  5. Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=3 into the OpenID login field of the page.
    1. You will not be prompted for authentication.
    2. If you are logged in this is a fail, you should have a warning from the RP
  6. If the 2nd and 3rd loggins result in warnings this is a pass.
  7. Set outcome in the results page:
    1. If the success criteria was met, set the outcome to "Works".
    2. If the test failed, set the outcome to "Failed" and enter information about the failure in the Notes section.
    3. If other issues occurred set the result to "Issues" and describe them in the Notes section.
  8. Add either four tilde ~~~~ signs or a text name into the "Tested by" parameter.
  9. Update the Date Tested, Browser, and Operating System lines of the results page.
Retrieved from "http://osis.idcommons.net/wiki/I5:FeatureTest-OpenID_Relying_Party_protects_against_association_poisoning"
Personal tools