Updated Jan 22, 2008 by heaven
Labels:	Featured, Phase-Design

TestSpec

test specification

ALPHA ALPHA ALPHA ALPHA (in development, 2008-01)

Introduction

The following is the OpenID Test Specification. To participate in the automated matrix testing of each {library,feature,version,OP-vs-RP} against every other combination, somebody should implement for each OpenID library a CGI script implementing this specification.

The specification defines specific well-known URL paths and parameter names which the test harness will use.

General Format

In general, the URLs you're to provide are of the form:

   <BASE>/<VERSIONS>/<PATH>

For instance,

   http://yourhostname.com:1234/library-openidtest.cgi/1.1,2.0/rp

Where the BASE is the CGI script's base. The versions is a comma-separated list of supported version numbers ("1.1,2.0"), and the rest is the function of the page. In this case, "/rp", which is a relying party implementing versions both OpenID 1.1 and 2.0.

Capability Document

An exception to the general format described above, participants in the openid-test project must support a URL of the form:

$BASE/caps

Which returns a text/plain document looking like:

# I am an openid-test capabilities document.
# I support the following:

openid1.1
#openid2.0
#xri
#delegate

As you can see, it's one capability per line. Comments starts with a #. Blank lines ignores.

The capabilities are useful in that the test framework will skip tests if a test is marked as requiring a capability which you don't declare as supporting. This speeds up the testing, and a test result of "Skipped, due to lack of capability $X" is better than "TEST FAILED".

List of capabilities includes:

openid1.1
openid2.0
xri
delegate
(probably more later)

OpenID Relying Party (RP) URL formats

Show HTML forms for users: (not used by test framework itself, but helpful for people adding OpenID OP support to their site, and want to test your library)

/1.1/rp
/2.0/rp
/1.1,2.0/rp

Required GET parameters to support are:

openid_identifier -- the "User-Supplied Identifier" (what a user would type into the login box)
op -- How far into the OpenID operation to run before returning information, and what information to return. Possible values are:

"" (blank, default): do the full OpenID flow
"disco": just do OpenID discovery, and return discovery information
"assoc": just return association details (possibly doing association first, or using association from cache)

assoc_mode -- one of:

"stateful": default, if not specified)
"stateful_new": create a new association, ignoring any previously created, cached one
"stateless" -- don't associate. don't send an association handle. previously called "dumb mode"
"use_handle" -- use a specific association handle, previously generated and in the cache. the handle to use should be in the GET parameter "assoc_handle".

Response format for op ""

When the op parameter is "", the expected response format is:

OK

That is, "OK" by itself. Trailing whitespace is okay. Anything else is considered an error.

Response format for op "disco"

After discovery on a page with no delegate/local_id:

user_specified_url: http://.../1.1/identity/will-sign
openid_provider: http://..../1.1/op
local_id:

With a delegate ("local_id", in 2.0 terms), the local_id parameter would be the URL to send to the openid provider.

Response format for op "assoc"

handle: 1200865103:PzoPTP8qjCtAqqWZogVv:33c365db4e
type: HMAC-SHA1

Examples URLs

Here are some random URLs using the options above in different ways:

Just do discovery (version 1.1 only), and emit text/plain document with information discovered:

/1.1/rp?openid_identifier=http%3A%2F%2Fbradfitz.com%2F&op=disco

Just associate, forcing a new association:

/1.1,2.0/rp?openid_identifier=http%3A%2F%2Fbradfitz.com%2F&op=assoc&assoc_mode=stateful_new

Do the full OpenID flow, version 2.0 only, using a specific association handle:

/2.0/rp?openid_identifier=http%3A%2F%2Fbradfitz.com%2F&assoc_mode=use_handle&assoc_handle=HANDLE

Identity URL formats

The basic form for an identity URL is one of:

/VERSIONS/identity/BEHAVIOR -- where BEHAVIOR is one of:

"will-sign": immediate signs and redirects with signature
"will-setup-then-sign": won't sign, but the user_setup_url points to a place that will then immediately return to your return_to with a signature
"will-setup-then-cancel": won't sign, and then after the user_setup_url will hit the virtual 'Cancel' button and send openid.mode="cancel"

/VERSIONS/identity/BEHAVIOR/redirect -- just redirects back to the same URL without the "/redirect" part. used for testing RPs.
/VERSIONS/identity/BEHAVIOR/delegate_to/OP_VERSIONS -- uses delegate ("local_id") to declare their local ID for the referenced OpenID server. To note here: the VERSIONS is the page's HTML markup version, and the OP_VERSIONS is the versions that the referenced OP speaks.

A non-exaustive list of some combinations of the above...

# Identity URLs which return signatures right away:

/1.1/identity/will-sign - Version 1.1 only
/1.1/identity/will-sign/redirect - Version 1.1 only
/2.0/identity/will-sign - Version 2.0 only
/1.1,2.0/identity/will-sign - Version 1.1+2.0
/1.1/identity/will-sign/delegate_to/1.1 - delegated with 1.1 markup to 1.1 server
/2.0/identity/will-sign/delegate_to/2.0 - delegated with 2.0 markup to 2.0 server
/1.1,2.0/identity/will-sign/delegate_to/1.1,2.0 - delegated with 1.1+2.0 markup to 1.1+2.0 server
/1.1/identity/will-sign/delegate_to/2.0 - delegated with 1.1 markup to 2.0 server
/2.0/identity/will-sign/delegate_to/1.1 - delegated with 2.0 markup to 1.1 server (NOTE: this is expected to make RPs fail, as the RP, even if it knows 2.0, will then speak 2.0 to OP, which only knows 1.1. This is a user error.)

# Identity URLs which fail, but after setup succeed.

/1.1/identity/will-setup-then-sign - Version 1.1 only
/2.0/identity/will-setup-then-sign - Version 2.0 only
/1.1,2.0/identity/will-setup-then-sign - Version 1.1+2.0
/1.1/identity/will-setup-then-sign/delegate_to/1.1 - delegated with 1.1 markup to 1.1 server
/2.0/identity/will-setup-then-sign/delegate_to/2.0 - delegated with 2.0 markup to 2.0 server
/1.1,2.0/identity/will-setup-then-sign/delegate_to/1.1,2.0 - delegated with 1.1+2.0 markup to 1.1+2.0 server
/1.1/identity/will-setup-then-sign/delegate_to/2.0 - delegated with 1.1 markup to 2.0 server
/2.0/identity/will-setup-then-sign/delegate_to/1.1 - delegated with 2.0 markup to 1.1 server

# Identity URLs which fail, and then after setup do openid.mode=cancel.

/1.1/identity/will-setup-then-cancel - Version 1.1 only
/2.0/identity/will-setup-then-cancel - Version 2.0 only
/1.1,2.0/identity/will-setup-then-cancel - Version 1.1+2.0
/1.1/identity/will-setup-then-cancel/delegate_to/1.1 - delegated with 1.1 markup to 1.1 server
/2.0/identity/will-setup-then-cancel/delegate_to/2.0 - delegated with 2.0 markup to 2.0 server
/1.1,2.0/identity/will-setup-then-cancel/delegate_to/1.1,2.0 - delegated with 1.1+2.0 markup to 1.1+2.0 server
/1.1/identity/will-setup-then-cancel/delegate_to/2.0 - delegated with 1.1 markup to 2.0 server
/2.0/identity/will-setup-then-cancel/delegate_to/1.1 - delegated with 2.0 markup to 1.1 server

... etc, etc. Again, this is a non-exhaustive list.

Other

TODO: way to tell an OP to drop an association handle.

TODO: directed identity

TODO: all combinations of Yadis/XRDS discovery

TODO: http vs. https, fallbacks, etc.