I5:FeatureTest-OpenID Relying Party protects against association poisoning

From OSIS Open Source Identity Systems
Jump to: navigation, search

{{#vardefine:page|{{#if:{{#var:page}}|{{#var:page}}|FeatureTest-OpenID Relying Party protects against association poisoning}}}}{{#vardefine:nr|{{#if:{{#var:nr}}|{{#expr:{{#var:nr}}+1}}|1}}}}{{#vardefine:url|{{#replace:{{#var:page}}| |_}}}}{{#if:OpenID Relying Party protects against association poisoning|{{#if:{{#var:DtArticleSortKey}}||}}}}{{#ifeq:{{#var:header}}|no||

{{#ifeq:no|no||
{{#if:{{#var:refs}}|[[{{#var:page}}|no_ref's]]|[[Special:Call/DT Article show Refs,page={{#var:page}},refs=yes|ref's]]}}}} {{#if:{{#var:DtArticleSortKey}}|({{#var:DtArticleSortKey}})}}    list help  [[Special:Call/DT Article copy,cat=FeatureTest,from={{#var:page}},namespace=I5|copy]]  [[Special:Call/DT Articles list XML,type=FeatureTest,title={{#var:page}},namespace=I5|as XML]]  edit
}}
{{#if:|Feature Test |Feature Test }}   OpenID Relying Party protects against association poisoning
Test Type   bgcolor={{{color}}}}}|OpenID Authentication
Identifier   bgcolor={{{color}}}}}|FTR-orp-sec-8  
Description   bgcolor={{{color}}}}}|Tests OpenID Relying Party protects against association poisoning  
Role tested   bgcolor={{{color}}}}}|OpenID Identity Relying Party  
Known Successful Reference Solution(s)   bgcolor={{{color}}}}}|{{ #if: |
[[I5:]]}}{{ #if: Plaxo Signin |
I5:Plaxo Signin}} {{ #if: |
}} {{ #if: |
}}  
Success Criteria   bgcolor={{{color}}}}}|The RP dosen't allow a 2nd OP to overwrite the association  
Failure Criteria   bgcolor={{{color}}}}}|The RP allows the 2nd and third login from the poisining OP  

Features Proven

{{#dpl:debug=1

 |resultsheader=\n
 |noresultsheader= {|\n|bgcolor=#eeeeee|No matching Feature found.\n|}\n
 |category=Feature
 |namespace=I5
 |linksto=I5:FeatureTest-OpenID Relying Party protects against association poisoning
 |nottitlematch = Feature.edit
 |include={Feature}.viewfromtest
 |includematch=/FeatureTest-OpenID Relying Party protects against association poisoning/s
 |table=class=sortable,-,Feature,feature_type,solution_role

}}

Instructions

  1. Open the result page for your solution and this test.
  2. Open the OpenID login page for your relying party.
  3. Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=1 into the OpenID login field of the page.
    1. you can use the https: version of the openID above if your RP needs it.
    2. You will not be prompted for authentication.
    3. make certain you are logged in.
    4. Click on the the back button to return to the login.
  4. Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=2 into the OpenID login field of the page.
    1. You will not be prompted for authentication.
    2. If you are logged in this is a fail, you should have a warning from the RP
  5. Enter http://test-id.org/RP/AssociationPoisoning.aspx?test=3 into the OpenID login field of the page.
    1. You will not be prompted for authentication.
    2. If you are logged in this is a fail, you should have a warning from the RP
  6. If the 2nd and 3rd loggins result in warnings this is a pass.
  7. Set outcome in the results page:
    1. If the success criteria was met, set the outcome to "Works".
    2. If the test failed, set the outcome to "Failed" and enter information about the failure in the Notes section.
    3. If other issues occurred set the result to "Issues" and describe them in the Notes section.
  8. Add either four tilde ~~~~ signs or a text name into the "Tested by" parameter.
  9. Update the Date Tested, Browser, and Operating System lines of the results page.