Token Endpoint error responses not adhering to spec #220
Comments
|
@jborgland the tools are meant to test the behaviour of the tested service, you should not rely on its responses for cases that aren't part of the test plan for conform behaviour. |
|
Well, I do not rely on the format of the error response - the application handles the invalid response well. However, wouldn't it be reasonable for the test suite to actually adhere to specification? That way you would for example also get proper testing of the RPs ability to handle correct error responses - and not, as it is now, it's ability to handle an OP that doesn't adhere to the spec. |
It would but it's not the core scenario of this particular test. I'll reopen and discuss this in today's certification call, i'll check with the developers of a new tool we're developing that entails way more tests and scenarios to see if we'll include this in our new suite. This (python) suite however is in maintenance mode and we won't be adding such behaviours. |
When calling the Token Endpoint of various tests with invalid values (what an invalid value is of course depends on the test - but for example using client_secret_post as auth method when running the rp-token_endpoint-client_secret_basic test) an HTML error response is returned - not the JSON that is described in section 3.1.3.4 of the OIDC specification and section 5.2 of RFC 6749.
The text was updated successfully, but these errors were encountered: