TCK Challenge: openid2 & openid3 need to use TLS endpoint instead of HTTP

[brideck]

Challenged Tests: ee.jakarta.tck.security.test.OpenId2DefaultIT#testOpenIdConnect ee.jakarta.tck.security.test.OpenId3DefaultIT#testOpenIdConnect

TCK Version: Jakarta Security TCK 3.0.0

Tested Implementation: Open Liberty

Description: Section 5.3 of the OpenID Connect specification states "Communication with the UserInfo Endpoint MUST utilize TLS," but the OpenId Connect tests in the Security TCK that use Tomcat/Mitre configure it to only have an HTTP endpoint.

When testing with Open Liberty any attempt to authenticate using the OpenID Connect server is accordingly rejected with the following:

io.openliberty.security.oidcclientcore.exceptions.UserInfoEndpointNotHttpsException: CWWKS2418W: The OpenID Connect client
encountered the following error when it sent a request to the [http://localhost:8081/openid-connect-server-webapp/userinfo]
User Info URL of the OpenID Connect provider: CWWKS2402E: The http://localhost:8081/openid-connect-server-webapp/userinfo
endpoint URL that is configured for the {1} OpenID Connect client does not use the HTTPS protocol, but HTTPS is required.

The test configuration needs to be updated to use a TLS endpoint so that the scenario meets the requirements of the OpenID Connect specification.

[arjantijms]

Sounds valid, and good catch. Always a petty those things are never found before the release of the TCK, but better late than never.

[Emily-Jiang]

@arjantijms will look into the Tomcat configuration and then @brideck will retest. Alternative solution: introduce a proxy (using servlet) to use https instead of http (update the pom.xml).

[arjantijms]

@brideck one thing to consider when using TLS is that we need to set a certificate for Tomcat to send, and therefor the truststore of the server under test to have this certificate. This is however server dependent. We can probably add a small SPI for this, but it's an extra step beyond just changing just Tomcat to use https.