Guest Blog: OpenID Connect Relying Party Certification for mod_auth_openidc


A Note from the Executive Director 

Hans Zandbelt’s blog reflects the kind of initiative that makes the OpenID Foundation a valuable resource for its members and the community at large.

The OpenID Foundation Certification Program aims to promote interoperability among implementations. With over 100 certifications to date, self certification has proven to be a significant boost for the adoption of OpenID Connect and a new trust model for the identity ecosystem. The certification test suite itself has proven to be a useful internal testing tool to improve quality assurance in the development of products.

Hans contribution to our ongoing “testing the test” efforts enabled Ping to be among the first OpenID RP certifications and paves the way for other pioneering interpretability assurance efforts. 

Thanks to Hans and a hat tip to Ping Identity for its technical thought leadership that has strengthened the OpenID Foundation and drives the innovation that benefits all.

Don Thibeau

Executive Director 

The OpenID Foundation

 

Good news on the OpenID Connect front: after creating a software certification program for OpenID Connect Provider implementations (http://openid.net/certification/), the OpenID Foundation recently added a similar capability for testing and certifying Relying Party (RP) implementations.

After putting in quite some work I was able to run mod_auth_openidc through the RP test suite and acquire the first official RP certification for it on December 13th. See bottom of the page here: http://openid.net/certification/. One thing to be aware of is that RP testing is quite different from OP testing: as the RP certification test documentation puts it:

For each test, it is the responsibility of the tester to read and understand the expected result and determine whether the RP passed the test as described or not. This is because the RP test server typically doesn’t have enough information to determine whether the RP did the right thing with the information provided or not.

That means that the RP software developer needs to either a) write a lot of code to automate and interpret tests in a reproducible way or b) do a lot of manual work each time running the tests to prove that everything conforms to the specification. That makes it different from the OP certification process where the standard functions would be tested and results would be interpreted by the OP test suite itself without any effect on the OP software that is tested itself.

So why would an RP developer make this – rather significant – extra effort?

Firstly, the OpenID Foundation certification program aims to promote interoperability among implementations; this is certainly a great step in that direction and a significant boost for the OpenID Connect eco-system. But secondly and more important on a “local” scale, any self-respecting software product requires a integrated test suite for regression and continuous integration type of tests. Once the effort to for RP certification has been done and integrated in to an automated test suite for the RP software, it is a great tool to prevent bugs creeping up in new releases and a great help to improve the overall quality of the product.

Consider this a call to arms for all RP software developers out there to bite the bullet!

Hans Zandbelt