Synapse OAuth2/OIDC Compliance Validation
The OpenID Foundation provides a set of tools to verify that one or more tools conform to OAuth2 and OIDC specifications. The tools can be found here: https://www.certification.openid.net/. This document demonstrates how to validate that the following are spec compliant:
Synapse backend OAuth2/OIDC services
Synapse OAuth Signin app (signin.synapse.org)
Certification was originally completed in - PLFM-6408Getting issue details... STATUS .
To re-validate the services,
Go to https://www.certification.openid.net/ and log in with a Google account
Click “Create a new Test Plan”
Choose the test plan “Open ID Connect Core: Basic Certification Profile Authorization Server Test”
Configure the test plan using the OAuth Clients created to validate these services:
Configuring a test plan for Production
The production services can be configured using the discovery document.
For Server metadata location, select discovery
For Client Registration Type, select static_client
Configure the test plan with this JSON document, then fill in the secrets using credentials found in LastPass:
{
"consent": {},
"alias": "Synapse",
"description": "Synapse-Production",
"server": {
"discoveryUrl": "https://repo-prod.prod.sagebase.org/auth/v1/.well-known/openid-configuration"
},
"client": {
"client_id": "100060",
"client_secret": "<replace-with-secret>"
},
"client2": {
"client_id": "100061",
"client_secret": "<replace-with-secret>"
},
"client_secret_post": {
"client_id": "100060",
"client_secret": "<replace-with-secret>"
}
}
Configuring a test plan for Staging
Because the discovery document only references production services, the test plan must be manually configured.
For Server metadata location, select static
For Client Registration Type, select static_client
Configure the test plan with this JSON document, then fill in the secrets using credentials found in LastPass:
{
"consent": {},
"alias": "Synapse",
"description": "Synapse-Staging",
"server": {
"issuer": "https://repo-staging.prod.sagebase.org/auth/v1",
"jwks_uri": "https://repo-staging.prod.sagebase.org/auth/v1/oauth2/jwks",
"authorization_endpoint": "https://staging-signin.synapse.org",
"token_endpoint": "https://repo-staging.prod.sagebase.org/auth/v1/oauth2/token",
"userinfo_endpoint": "https://repo-staging.prod.sagebase.org/auth/v1/oauth2/userinfo"
},
"client": {
"client_id": "100060",
"client_secret": "<replace-with-secret>"
},
"client_secret_post": {
"client_id": "100060",
"client_secret": "<replace-with-secret>"
},
"client2": {
"client_id": "100061",
"client_secret": "<replace-with-secret>"
}
}
Running the tests
Follow the test plan UI to complete validation, capturing and attaching screenshots as necessary. Note that Synapse does not implement all optional or suggested features of OIDC, so some tests may not pass. You should look at a previous completed test plan (below) to ensure that test failures are not regressions.
Record of Results
Link | Date | Stack | Test Version | Notes |
---|---|---|---|---|
https://www.certification.openid.net/plan-detail.html?plan=7UtKbbbsiZfOL&public=true | May 26, 2021 | Production | 4.1.11 | |
https://www.certification.openid.net/plan-detail.html?plan=PylBIRaCwRN23&public=true | Aug 10, 2022 | Staging | 5.0.0 | Verify no regressions caused by changes for - PORTALS-2267Getting issue details... STATUS |