Document toolboxDocument toolbox

Synapse OAuth2/OIDC Compliance Validation

The OpenID Foundation provides a set of tools to verify that one or more tools conform to OAuth2 and OIDC specifications. The tools can be found here: https://www.certification.openid.net/. This document demonstrates how to validate that the following are spec compliant:

Certification was originally completed in

PLFM-6408 - Getting issue details... STATUS
.

To re-validate the services,

  1. Go to https://www.certification.openid.net/ and log in with a Google account

  2. Click “Create a new Test Plan”

  3. Choose the test plan “Open ID Connect Core: Basic Certification Profile Authorization Server Test”

  4. Configure the test plan using the OAuth Clients created to validate these services:

Configuring a test plan for Production

The production services can be configured using the discovery document.

For Server metadata location, select discovery

For Client Registration Type, select static_client

Configure the test plan with this JSON document, then fill in the secrets using credentials found in LastPass:

{ "consent": {}, "alias": "Synapse", "description": "Synapse-Production", "server": { "discoveryUrl": "https://repo-prod.prod.sagebase.org/auth/v1/.well-known/openid-configuration" }, "client": { "client_id": "100060", "client_secret": "<replace-with-secret>" }, "client2": { "client_id": "100061", "client_secret": "<replace-with-secret>" }, "client_secret_post": { "client_id": "100060", "client_secret": "<replace-with-secret>" } }

Configuring a test plan for Staging

Because the discovery document only references production services, the test plan must be manually configured.

For Server metadata location, select static

For Client Registration Type, select static_client

Configure the test plan with this JSON document, then fill in the secrets using credentials found in LastPass:

{ "consent": {}, "alias": "Synapse", "description": "Synapse-Staging", "server": { "issuer": "https://repo-staging.prod.sagebase.org/auth/v1", "jwks_uri": "https://repo-staging.prod.sagebase.org/auth/v1/oauth2/jwks", "authorization_endpoint": "https://staging-signin.synapse.org", "token_endpoint": "https://repo-staging.prod.sagebase.org/auth/v1/oauth2/token", "userinfo_endpoint": "https://repo-staging.prod.sagebase.org/auth/v1/oauth2/userinfo" }, "client": { "client_id": "100060", "client_secret": "<replace-with-secret>" }, "client_secret_post": { "client_id": "100060", "client_secret": "<replace-with-secret>" }, "client2": { "client_id": "100061", "client_secret": "<replace-with-secret>" } }

Running the tests

Follow the test plan UI to complete validation, capturing and attaching screenshots as necessary. Note that Synapse does not implement all optional or suggested features of OIDC, so some tests may not pass. You should look at a previous completed test plan (below) to ensure that test failures are not regressions.

Record of Results

Link

Date

Stack

Test Version

Notes

Link

Date

Stack

Test Version

Notes

https://www.certification.openid.net/plan-detail.html?plan=7UtKbbbsiZfOL&public=true

May 26, 2021

Production

4.1.11

Completed for

PLFM-6408 - Getting issue details... STATUS

https://www.certification.openid.net/plan-detail.html?plan=PylBIRaCwRN23&public=true

Aug 10, 2022

Staging

5.0.0

Verify no regressions caused by changes for

PORTALS-2267 - Getting issue details... STATUS