Compliance test for OpenID providers
https://stackoverflow.com/questions/815951
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
What automated standards-conformance tests are there for OpenID providers?
I'm making changes to the implementation of an OpenID provider, to bring it from version 1.1 of the standard to version 2.0.
Before releasing the code, I want to be sure that it conforms to the specifications of the standard. For testing web standards compliance, the W3C has validator tools. What tools exist so that I can point an automated tester at my OpenID provider and get a report of compliance with the standard?
Solution
In case anyone stumbles across this thread, OpenID Connect now has an official conformance test suite that is part of the certification process:
https://openid.net/certification/testing/
Enjoy!
OTHER TIPS
You could look at http://test-id.net/ which has a set of tests written in .net.
There are no conformance tests (at least officially approved) that I know of - even for 1.1. Certainly its something that would be very high value. Same goes for oAuth - they're both complex protocols and sometimes event the spec doesn't cover everything.
Probably the only thing you can do right now is thorough unit testing coverage locally.
There's this thing for 1.1-only: http://openidenabled.com/resources/openid-test/diagnose-server/
We never upgraded it for 2.0. Once or twice a year someone comes along and says "hey, we should have better testing tools," but as far as I (and others, judging from the responses here) know, none of those efforts has bore fruit yet.
Edited to add: another related project is at http://code.google.com/p/openid-test/
OSIS have interoperability tests, feature tests for IPs and feature tests for RPs
However these aren't automated, everyone gets together at one of the RSA conferences and checks they all work with each other.
As of now, and to the best of my knowledge there are no tools that can report compliance with standard. If you really want to make sure that your code is 2.0 compliant, you should hire some independent consultants to review your unit tests for each function of openID 2.0. They should also do thier own testing of course. The consultants must be experienced with auditing in general like PCI DSS, etc. They are experienced to go over the spec and test your app libraries and database.
