2. @justin__richer
Who am I?
• Independent consultant in Boston, USA
• Direct contributor to OAuth2 and OIDC
• Editor of OAuth RFCs 7591, 7592, and 7662
• Software architect for Authlete and Fintechlabs
• Author of OAuth2 In Action
2
10. @justin__richer
End User
Session at the
Relying Party
Identity Provider
Identity Profi le APIRelying Party
(Application)
End User’s Credentials,
Authorization of the Relying Party
ID Token and
Access Token
Access Token and User Information
10
11. @justin__richer
Design goals
• Multi-party protocol testing
• Structured configuration
• Structured logging and results
• Deterministic, modular execution units
• Protect sensitive configuration and results data
• Transparent process
11
12. @justin__richer
We need to handle special cases
• Front-channel requests that may never return
• How things react to intentionally bad requests
– Testing only the happy path leads to a false sense of
security
12
29. @justin__richer
Module
• String a set of conditions together in order
• Manage the state between condition calls
• Determine how condition results map to test results
– E.g., optional conditions can fail in some circumstances
29
30. @justin__richer
Plan
• Allows you to run several related modules with the
same configuration
• Tracks history of module run results
30
32. @justin__richer
Configuration
• Anything the test module needs to run
– Server locations
– Secrets and keys
– Certificates
• Can’t be changed once test starts
• Changes for different tests
• Entirely in JSON
32
33. @justin__richer
Event log
• Records results as tests run
• Made of many individual entries
– Timestamp, source, data
• Stored in MongoDB
• Entirely in JSON
33
36. @justin__richer
Open source
• Publicly available on GitLab
• Code can be fully audited (no black boxes)
• Enhancements from several groups to date
• Contributions are welcome!
36