ALPHA ALPHA ALPHA ALPHA (in development, 2008-01)IntroductionThe following is the OpenID Test Specification. To participate in the automated matrix testing of each {library,feature,version,OP-vs-RP} against every other combination, somebody should implement for each OpenID library a CGI script implementing this specification. The specification defines specific well-known URL paths and parameter names which the test harness will use. General FormatIn general, the URLs you're to provide are of the form: <BASE>/<VERSIONS>/<PATH> For instance, http://yourhostname.com:1234/library-openidtest.cgi/1.1,2.0/rp Where the BASE is the CGI script's base. The versions is a comma-separated list of supported version numbers ("1.1,2.0"), and the rest is the function of the page. In this case, "/rp", which is a relying party implementing versions both OpenID 1.1 and 2.0. Capability DocumentAn exception to the general format described above, participants in the openid-test project must support a URL of the form: Which returns a text/plain document looking like: # I am an openid-test capabilities document.
# I support the following:
openid1.1
#openid2.0
#xri
#delegate As you can see, it's one capability per line. Comments starts with a #. Blank lines ignores. The capabilities are useful in that the test framework will skip tests if a test is marked as requiring a capability which you don't declare as supporting. This speeds up the testing, and a test result of "Skipped, due to lack of capability $X" is better than "TEST FAILED". List of capabilities includes: - openid1.1
- openid2.0
- xri
- delegate
- (probably more later)
OpenID Relying Party (RP) URL formatsShow HTML forms for users: (not used by test framework itself, but helpful for people adding OpenID OP support to their site, and want to test your library) - /1.1/rp
- /2.0/rp
- /1.1,2.0/rp
Required GET parameters to support are: - openid_identifier -- the "User-Supplied Identifier" (what a user would type into the login box)
- op -- How far into the OpenID operation to run before returning information, and what information to return. Possible values are:
- "" (blank, default): do the full OpenID flow
- "disco": just do OpenID discovery, and return discovery information
- "assoc": just return association details (possibly doing association first, or using association from cache)
- assoc_mode -- one of:
- "stateful": default, if not specified)
- "stateful_new": create a new association, ignoring any previously created, cached one
- "stateless" -- don't associate. don't send an association handle. previously called "dumb mode"
- "use_handle" -- use a specific association handle, previously generated and in the cache. the handle to use should be in the GET parameter "assoc_handle".
Response format for op ""When the op parameter is "", the expected response format is: OK That is, "OK" by itself. Trailing whitespace is okay. Anything else is considered an error. Response format for op "disco"After discovery on a page with no delegate/local_id: user_specified_url: http://.../1.1/identity/will-sign
openid_provider: http://..../1.1/op
local_id: With a delegate ("local_id", in 2.0 terms), the local_id parameter would be the URL to send to the openid provider. Response format for op "assoc"handle: 1200865103:PzoPTP8qjCtAqqWZogVv:33c365db4e
type: HMAC-SHA1 Examples URLsHere are some random URLs using the options above in different ways: Just do discovery (version 1.1 only), and emit text/plain document with information discovered: - /1.1/rp?openid_identifier=http%3A%2F%2Fbradfitz.com%2F&op=disco
Just associate, forcing a new association: - /1.1,2.0/rp?openid_identifier=http%3A%2F%2Fbradfitz.com%2F&op=assoc&assoc_mode=stateful_new
Do the full OpenID flow, version 2.0 only, using a specific association handle: - /2.0/rp?openid_identifier=http%3A%2F%2Fbradfitz.com%2F&assoc_mode=use_handle&assoc_handle=HANDLE
Identity URL formatsThe basic form for an identity URL is one of: - /VERSIONS/identity/BEHAVIOR -- where BEHAVIOR is one of:
- "will-sign": immediate signs and redirects with signature
- "will-setup-then-sign": won't sign, but the user_setup_url points to a place that will then immediately return to your return_to with a signature
- "will-setup-then-cancel": won't sign, and then after the user_setup_url will hit the virtual 'Cancel' button and send openid.mode="cancel"
- /VERSIONS/identity/BEHAVIOR/redirect -- just redirects back to the same URL without the "/redirect" part. used for testing RPs.
- /VERSIONS/identity/BEHAVIOR/delegate_to/OP_VERSIONS -- uses delegate ("local_id") to declare their local ID for the referenced OpenID server. To note here: the VERSIONS is the page's HTML markup version, and the OP_VERSIONS is the versions that the referenced OP speaks.
A non-exaustive list of some combinations of the above... # Identity URLs which return signatures right away: - /1.1/identity/will-sign - Version 1.1 only
- /1.1/identity/will-sign/redirect - Version 1.1 only
- /2.0/identity/will-sign - Version 2.0 only
- /1.1,2.0/identity/will-sign - Version 1.1+2.0
- /1.1/identity/will-sign/delegate_to/1.1 - delegated with 1.1 markup to 1.1 server
- /2.0/identity/will-sign/delegate_to/2.0 - delegated with 2.0 markup to 2.0 server
- /1.1,2.0/identity/will-sign/delegate_to/1.1,2.0 - delegated with 1.1+2.0 markup to 1.1+2.0 server
- /1.1/identity/will-sign/delegate_to/2.0 - delegated with 1.1 markup to 2.0 server
- /2.0/identity/will-sign/delegate_to/1.1 - delegated with 2.0 markup to 1.1 server (NOTE: this is expected to make RPs fail, as the RP, even if it knows 2.0, will then speak 2.0 to OP, which only knows 1.1. This is a user error.)
# Identity URLs which fail, but after setup succeed. - /1.1/identity/will-setup-then-sign - Version 1.1 only
- /2.0/identity/will-setup-then-sign - Version 2.0 only
- /1.1,2.0/identity/will-setup-then-sign - Version 1.1+2.0
- /1.1/identity/will-setup-then-sign/delegate_to/1.1 - delegated with 1.1 markup to 1.1 server
- /2.0/identity/will-setup-then-sign/delegate_to/2.0 - delegated with 2.0 markup to 2.0 server
- /1.1,2.0/identity/will-setup-then-sign/delegate_to/1.1,2.0 - delegated with 1.1+2.0 markup to 1.1+2.0 server
- /1.1/identity/will-setup-then-sign/delegate_to/2.0 - delegated with 1.1 markup to 2.0 server
- /2.0/identity/will-setup-then-sign/delegate_to/1.1 - delegated with 2.0 markup to 1.1 server
# Identity URLs which fail, and then after setup do openid.mode=cancel. - /1.1/identity/will-setup-then-cancel - Version 1.1 only
- /2.0/identity/will-setup-then-cancel - Version 2.0 only
- /1.1,2.0/identity/will-setup-then-cancel - Version 1.1+2.0
- /1.1/identity/will-setup-then-cancel/delegate_to/1.1 - delegated with 1.1 markup to 1.1 server
- /2.0/identity/will-setup-then-cancel/delegate_to/2.0 - delegated with 2.0 markup to 2.0 server
- /1.1,2.0/identity/will-setup-then-cancel/delegate_to/1.1,2.0 - delegated with 1.1+2.0 markup to 1.1+2.0 server
- /1.1/identity/will-setup-then-cancel/delegate_to/2.0 - delegated with 1.1 markup to 2.0 server
- /2.0/identity/will-setup-then-cancel/delegate_to/1.1 - delegated with 2.0 markup to 1.1 server
... etc, etc. Again, this is a non-exhaustive list. OtherTODO: way to tell an OP to drop an association handle. TODO: directed identity TODO: all combinations of Yadis/XRDS discovery TODO: http vs. https, fallbacks, etc.
|
