TCK Challenge: openid2 & openid3 need to use TLS endpoint instead of HTTP
brideck opened this issue · 3 comments
Challenged Tests:
ee.jakarta.tck.security.test.OpenId2DefaultIT#testOpenIdConnect
ee.jakarta.tck.security.test.OpenId3DefaultIT#testOpenIdConnect
TCK Version:
Jakarta Security TCK 3.0.0
Tested Implementation:
Open Liberty
Description:
Section 5.3 of the OpenID Connect specification states "Communication with the UserInfo Endpoint MUST utilize TLS," but the OpenId Connect tests in the Security TCK that use Tomcat/Mitre configure it to only have an HTTP endpoint.
When testing with Open Liberty any attempt to authenticate using the OpenID Connect server is accordingly rejected with the following:
io.openliberty.security.oidcclientcore.exceptions.UserInfoEndpointNotHttpsException: CWWKS2418W: The OpenID Connect client
encountered the following error when it sent a request to the [http://localhost:8081/openid-connect-server-webapp/userinfo]
User Info URL of the OpenID Connect provider: CWWKS2402E: The http://localhost:8081/openid-connect-server-webapp/userinfo
endpoint URL that is configured for the {1} OpenID Connect client does not use the HTTPS protocol, but HTTPS is required.
The test configuration needs to be updated to use a TLS endpoint so that the scenario meets the requirements of the OpenID Connect specification.
Sounds valid, and good catch. Always a petty those things are never found before the release of the TCK, but better late than never.
@arjantijms will look into the Tomcat configuration and then @brideck will retest. Alternative solution: introduce a proxy (using servlet) to use https instead of http (update the pom.xml).
@brideck one thing to consider when using TLS is that we need to set a certificate for Tomcat to send, and therefor the truststore of the server under test to have this certificate. This is however server dependent. We can probably add a small SPI for this, but it's an extra step beyond just changing just Tomcat to use https.