Experience with Online Protocol Testing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[I posted this question a little while ago to the WG chairs mailing list and got no response.
Maybe my question is too trivial but I thought I should try it on the ietf@xxxxxxxx list as well to 
get some feedback.]

Hi all,

when concerns about the lack of interoperability surfaced mid last year 
in the OAuth working group we (Derek, and myself) tried to figure out 
whether we should schedule a face-to-face interop and/or to develop an 
online test suite. We got in touch with Lucy Lynch (ISOC) and she helped 
us to find developers to work with us on the test software.

Roland Hedberg, one of the guys working on the project for OAuth 
testing, presented his ongoing work in the OAuth working group, see
http://www.ietf.org/proceedings/86/slides/slides-86-oauth-2.pdf

OAuth is a bit more complex since it involves more than two parties and 
we were looking for a test framework that could be re-used to develop 
the desired results more quickly. To our surprise we couldn't find 
a test framework that we could easily re-use since most test frameworks 
really focus on different types of tests. Of course, we might 
have looked in the wrong direction.

Here is how it works at the moment:
* Imagine you have developed an OAuth-based identity management server 
(that contains an OAuth 2.0 authorization server) and it runs somewhere 
on the Internet (or in your lab). You don't need to have access to the 
source code to execute the tests.
* You download the scripts that Roland & Co had developed and configure 
them. Of course you will have to create an account at your IdP as well.
* You run the test scripts against the authorization server and the 
script plays the other OAuth 2.0 parties in the exchange. The script contains a number 
of test cases (around 60+ at the moment) and determines whether the IdP 
responds correctly in the exchanges.

I know that these ideas have come up in other working groups in the past 
already (such as in SCIM, which also has a test server up and 
running).

It would be interesting to hear what others have been doing and what 
worked for you or what didn't.

Ciao
Hannes



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJRzb+vAAoJEGhJURNOOiAtZBwIAISKHjD7gv8irkL4yaBR31K8
KLZCr/1n0n1OcXl3rE9MFOyA85hYNplZFd1giJLLgEX3UyofYXg/L2QOOLqtP0lT
JgnW2CvR0WWKfIT1iKjAwAodCVLsHF8MdPE4tl0LBlCeqhA1waj/oCLkBzZrrhhq
oWnZzP0I9nFdlSxV9EAHQ62RAxLUVQmBEqgMxl7A+iC9fGD8IhWSNSqqsaF0WOaB
6bHdwCFLYYAyqKhiuJAo/f6YFGEzIbPgpHPGjwBZzBIjwP/EGiFnAliyF8WATHzF
RM+OWg6QASh1cNwzc0dbMcrcr1L1ve7amATMc4uPN7sRjhv0s62iguWfGRhQhHw=
=YT5M
-----END PGP SIGNATURE-----





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]