<div dir="ltr">Hi Thomas,<div><br></div><div>That's great news, thanks for sharing. We've tried to execute these tests a while back, but there was issues with them at the time. Our plan is to revisit this in the next few months and to resolve issues where we're not following the spec.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 25 May 2016 at 00:03, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello list,</div><div><br></div><div>sorry for the longer email...</div><div><br></div><div>I just noticed that Keycloak is currently not listed as a </div><div>certified OpenID Connect implementation under:</div><div><a href="http://openid.net/certification/" target="_blank">http://openid.net/certification/</a></div><div><br></div><div>As it turns out one can run the tests oneself by creating a test profile as described here:</div><div><a href="http://openid.net/certification/testing/" target="_blank">http://openid.net/certification/testing/</a></div><div><br></div><div>The OpenID Connect test can be configured here: </div><div><a href="https://op.certification.openid.net:60000/" target="_blank">https://op.certification.openid.net:60000/</a></div><div><br></div><div>I just gave the test a spin by running a Keycloak Application instance </div><div>(Version 1.9.1.Final - as I had that running) embedded in a Spring Boot App </div><div>on Cloud Foundry which I exposed to the <a href="http://op.certification.openid.net" target="_blank">op.certification.openid.net</a> test server.</div><div>... it works and was a quick way to get Keycloak exposed to the test - and yes I know </div><div>this is of course not a prod environment ;-)</div><div><br></div><div>The results looked not bad.</div><div>Note that you need to execute each step manually by clicking on it... </div><div><br></div><div>First run got me 23 green (+2 manually verified) out of 41 tests overall,</div><div>rest was 9 yellow and 6 red.</div><div><br></div><div><div>You can find a screenshot of the overall test results here:</div><div><a href="http://s33.postimg.org/h6zawnbbz/screencapture_op_certification_openid_net_60628.png" target="_blank">http://s33.postimg.org/h6zawnbbz/screencapture_op_certification_openid_net_60628.png</a></div></div><div><br></div><div>I think those tests are a great way to close gaps between specification and implementation </div><div>and help to make Keycloak more compatible.</div><div><br></div><div><div>I also have the logs with the detailed request / response pairs with failed tests and </div><div>explanations.</div><div>Please ping me if you want to have those for investigation (~600 kb text).</div></div><div><br></div><div>Some of the tests like ("Scope requesting all claims [Basic, Implicit, Hybrid] (OP-scope-All)") </div><div>were yellow because the some claim information was missing in the user info like:</div><div>['nickname', 'profile', 'picture', 'website', 'gender', 'birthdate', 'zoneinfo', 'locale', 'updated_at', 'phone_number', 'phone_number_verified'].</div><div><br></div><div>The red tests like "IDToken has kid [Basic, Implicit, Hybrid] (OP-IDToken-kid)" mostly failed due to </div><div>missing values in the response e.g. </div><div>"[verify-signed-idtoken-has-kid]</div><div><span style="white-space:pre-wrap"> </span>status: ERROR</div><div><span style="white-space:pre-wrap"> </span>description: Verifies that the header of a signed IDToken includes a kid claim.</div><div><span style="white-space:pre-wrap"> </span>info: Signed ID Token has no kid: header={u'alg': u'RS256'}"</div><div><br></div><div>If you want to try it out yourself here are the settings I used for the </div><div>OpenID Connect Test Application:</div><div><br></div><div>--------------------</div><div><br></div><div>Provider configuration:</div><div>"Does the OP have a .well-known/openid-configuration endpoint?"</div><div>yes</div><div><br></div><div>"What is the issuer path for this configuration information?"</div><div><a href="https://tdlabs-keycloak-test2.cfapps.io/realms/test" target="_blank">https://tdlabs-keycloak-test2.cfapps.io/realms/test</a></div><div><br></div><div>"Do the provider support dynamic client registration?"</div><div>no (I know keycloak supports that but I couldn't get that working)</div><div><br></div><div>"Redirect uris"</div><div><a href="https://op.certification.openid.net:60629/authz_cb" target="_blank">https://op.certification.openid.net:60629/authz_cb</a></div><div><br></div><div>"Client id" </div><div>openid-cert</div><div><br></div><div>"Client secret"</div><div>4692ca28-daad-4d76-aa82-0991e518d931</div><div><br></div><div>Required info</div><div>"Which subject type do you want to use by default?"</div><div>public </div><div><br></div><div>"Which response type should be used by default?"</div><div>code</div><div><br></div><div>"Select supported features"</div><div>JWT signed with algorithm other than "none"</div><div>Encrypted JWT</div><div><br></div><div>Test specific request parameters:</div><div><br></div><div>"Login hint"</div><div><a href="mailto:tom@example.com" target="_blank">tom@example.com</a></div><div>"UI locales"</div><div>en de</div><div>"Claims locales"</div><div>en de</div><div>"Acr values"</div><div>2 1</div><div><br></div><div>"Webfinger url"</div><div><a href="https://example.com/tom" target="_blank">https://example.com/tom</a></div><div><br></div><div>"Webfinger email"</div><div><a href="mailto:tom@example.com" target="_blank">tom@example.com</a></div><div>E.g. <a href="mailto:bob@example.com" target="_blank">bob@example.com</a></div><div><br></div><div>For testing purposes I created a new realm "test" with an additional </div><div>client "openid-cert" with "confidential" access type and </div><div>the valid redirect url provided by the <a href="http://op.certification.openid.net" target="_blank">op.certification.openid.net</a> test server.</div><div><br></div><div><div>I also created a user "tester" for the login tests.</div></div><div><br></div><div>Cheers,</div><div>Thomas</div></div>
<br>_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br></blockquote></div><br></div>