[Openid-specs-ab] Issue #73: OP-OAuth-2nd-Revokes seems broken (openid/certification)

Brian Campbell issues-reply at bitbucket.org
Thu Mar 5 19:05:34 UTC 2015


New issue 73: OP-OAuth-2nd-Revokes seems broken
https://bitbucket.org/openid/certification/issue/73/op-oauth-2nd-revokes-seems-broken

Brian Campbell:

I get Result FAILED and the test seems to stop when an error is returned from the second access token request to the token endpoint with the same code. That error is supposed to happen AFAICT and this test is supposed to try the access token obtained from the first code exchange at the user info endpoint. We should get a warning here not a failure.  


```
#!text


Test info
Profile: {'profile': 'C', 'sub': 'none', 'register': False, 'discover': True, 'extra': False}
Test ID: OP-OAuth-2nd-Revokes
Issuer: https://gold.pinglabs.net
Test output


__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
[-]
	status: ERROR
	info: {'error_description': u'Authorization code is invalid or expired.', 'error': u'invalid_grant'}

Trace output


0.000264 ------------ DiscoveryRequest ------------
0.000273 Provider info discover from 'https://gold.pinglabs.net/'
0.000279 --> URL: https://gold.pinglabs.net/.well-known/openid-configuration
0.308293 ProviderConfigurationResponse: {
  "authorization_endpoint": "https://gold.pinglabs.net/as/authorization.oauth2",
  "claim_types_supported": [
    "normal"
  ],
  "claims_parameter_supported": false,
  "claims_supported": [
    "address",
    "birthdate",
    "email",
    "email_verified",
    "family_name",
    "gender",
    "given_name",
    "locale",
    "middle_name",
    "name",
    "nickname",
    "phone_number",
    "picture",
    "preferred_username",
    "profile",
    "sub",
    "website",
    "zoneinfo"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ],
  "issuer": "https://gold.pinglabs.net",
  "jwks_uri": "https://gold.pinglabs.net/pf/JWKS",
  "ping_end_session_endpoint": "https://gold.pinglabs.net/idp/startSLO.ping",
  "ping_revoked_sris_endpoint": "https://gold.pinglabs.net/pf-ws/rest/sessionMgmt/revokedSris",
  "registration_endpoint": "https://gold.pinglabs.net/idp/client-registration.openid",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "require_request_uri_registration": true,
  "response_modes_supported": [
    "fragment",
    "query",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token"
  ],
  "revocation_endpoint": "https://gold.pinglabs.net/as/revoke_token.oauth2",
  "scopes_supported": [
    "product",
    "phone",
    "pingone-native-application",
    "email",
    "address",
    "admin",
    "edit",
    "openid",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://gold.pinglabs.net/as/token.oauth2",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "userinfo_endpoint": "https://gold.pinglabs.net/idp/userinfo.openid",
  "version": "3.0"
}
0.597090 JWKS: {
  "keys": [
    {
      "crv": "P-521",
      "kid": "f80st",
      "kty": "EC",
      "use": "sig",
      "x": "AK2REJpgFwKoWTu-6QYaSQTCRg08UnhgI-vr6mIgNX-enTAcv26sOP4vIXwTdIB7LklAV3h1072QvGHgiPFYJsg5",
      "y": "AEzJoN5JN8fpFu93FpNHPxkqFiEaPn7rhvaMNmGXJzj-3zliFU_g2yFqLppC1lTf1Un1o-mnd0vvQVgrflwZjSI8"
    },
    {
      "crv": "P-384",
      "kid": "f80su",
      "kty": "EC",
      "use": "sig",
      "x": "L5VGrkEWu2RhkDkXtQr5DAfqSxza3COTI8Tca7hb31BFk1c5nYkZdE0F5OP4nw_G",
      "y": "y8aD3F2jJF3qlthuYsANfHwhnUw-9YTbtLsNaHvop4fxGzb9Ra-yhNF0jfHtgYll"
    },
    {
      "crv": "P-256",
      "kid": "f80sv",
      "kty": "EC",
      "use": "sig",
      "x": "BHiXkFQUaUjiX62-OU9UtQpwni5_ef_0eC7FlOzoutY",
      "y": "WfTfWE9Ns31RiiBivWohmSnBKTF1bHndk--gErZDqOY"
    },
    {
      "e": "AQAB",
      "kid": "f80sw",
      "kty": "RSA",
      "n": "grO1Q2_XEaknnQzLCDAVYe4spCQMbolNBbqTtwfRCOhS2w4o2NiIvYM5_PDR7jiEWiFC0blgR_eddopxpQrmUy60zbYelzD6byxRa29-PnQgjeJZO2o8QbSCkRRORidZI9MAGsPwfl80f9UBZT0pmlkbEdhlgGPk7b-v_KKseIDTN-lJL9-Jxgbr9XpNoUNEl8k5zpPLLfcmpy5rwa29Ch9m2OAMcxn3xb7hR9toyw8R_ULL7Rd9JGQlxcmnrsL_ah7jSCF-ObVV-CC53QpLjlpTjGDygok_zi5OpOBKHIIIcEOu5tJFm-jCnMTd-2SymcjmHOQTnedmU27nMz5hPw",
      "use": "sig"
    },
    {
      "crv": "P-521",
      "kid": "f80sx",
      "kty": "EC",
      "use": "sig",
      "x": "Aez5kFxe9_mnG4umHdcgJLLsCW308D0n3P3-8DqiKh1NnFvBjsP04rZpDTTw-_N7j0JJFx0dQNRArTywdmsdsbu9",
      "y": "AYyIXt3ZqZxUvZskSpCwgLjnjqEuQZuyVgd35dayB77-To-14sIEA0fd00rp1yB1yzcoMXcITgawgOy9UWMXByoW"
    },
    {
      "crv": "P-384",
      "kid": "f80sy",
      "kty": "EC",
      "use": "sig",
      "x": "O1mLea6k0ykLm1wWxvIWZUzUzJC91h8Ex6_jPAv5dnI6qoKXFTL90R-u-hl93VJ6",
      "y": "ckBiXpdnnp_CbuCPJuLGPG4G--dyeqV_WHZ6kIBQQJqPVlTD0k_qEmWsI2GxwyKz"
    },
    {
      "crv": "P-256",
      "kid": "f80sz",
      "kty": "EC",
      "use": "sig",
      "x": "NXwMQZJRzPDtSVbDT_I8S7s_Y59UFR6cQw5jWOntTwg",
      "y": "j2FJO6YSshDt8W0jM-WBeKZfwY28LLN0Nlu0KM2wc4Y"
    },
    {
      "e": "AQAB",
      "kid": "f80t0",
      "kty": "RSA",
      "n": "t3W3gGCC1X_7X-wIH8OszWvyGJkjXBBebH2csCPws7IsMqLy1Zez8qhNHrdnRDlsOLnuvOIzM2GTDa_iV29btN3CFd3TSjC74LsP2Z_jO41ajkW5YevV87gRgPB1_mHE4dzbFBqt24v1u90Pxv68ZpXX2EekVvpMEqIZwtZJApWBTWL_ovzp-Cyy0p4OG3SxEIM63Hs_2YT0Vlc5RvpJYwMSrQsRojdHvJUEWa2HLDSHUBSytWQKg2g2SJ97Wc4yLWNQ6gTN2IN0UHq3n_x82xmM4_M-c5yt3pVZwNFnFIPkscnIQtaRBUFbabyFMKMS9idvZTLhVq53pHAL3epDMQ",
      "use": "sig"
    },
    {
      "crv": "P-521",
      "kid": "f80t1",
      "kty": "EC",
      "use": "sig",
      "x": "AKCEcGch57ku9MolqQ1_0RDXi2GCp93SJQiY1gW_p3B-5uS9MpS8_GAwHDIyCH1skS2AI-SVtDzEjPyW9kbomnQ0",
      "y": "AXKxpV0Wr0L-U3_ZIy-y6WzNo1NpAsAotj43NqCQFixIPUaUZxx1yOGLlAOH93AJtRf0h8GJL1vYPIFqxVVZ8vQW"
    },
    {
      "crv": "P-384",
      "kid": "f80t2",
      "kty": "EC",
      "use": "sig",
      "x": "H0HJ3Llc_MtTbNYqrySr6AvlbwZfmezz2_F7ZJcQLil0ihT5yYunKdvkGu67eE0j",
      "y": "kCZmV4Ed-ijHsAQ-cXkfAb6uqXhg2LHJf7mBqRcRj5CtKL9BdJduRX3xhGKWaFyP"
    },
    {
      "crv": "P-256",
      "kid": "f80t3",
      "kty": "EC",
      "use": "sig",
      "x": "dkDYvnKf2NTCOrvsMP3aFnMfKuF2mlMM3jApkiCPO68",
      "y": "5SjBt8pY2kt21hnOHWojXkwEpH5oI57G0_miL0MuS-0"
    },
    {
      "e": "AQAB",
      "kid": "f80t4",
      "kty": "RSA",
      "n": "0NHuJ53xo18FiJVgwlPPKkWoW2rfa3JR7wUsDxmKmk-Blwog_9i0VZe0yYYBEB_G3Kuq1BJ1oEtfx3WTJKhL2D1mFftbOEM_VggmTlZNq-M_7yIhIdoe92L9As___3VHClf_fwysxTj_gTo6JHDHEw0dhExrQH6Jz-GykIDv6MdcoaXGdXJ9-3EwrpsUF1X-9cw1d2rrvr44B2k0v0EBj6fxZ55cF90Ev6-3Q4UMCE6uXnPnzEyNjnMyplHPmaWAfCWHF9wZmlQNmoAX4TrR1dkKITYagjS7B_xKeTli3vNVxkofJ5Ptc2axXoriTv6igGpS75tH7Fzn-PO_A4X7Sw",
      "use": "sig"
    }
  ]
}
0.597777 ------------ AuthorizationRequest ------------
0.598114 --> URL: https://gold.pinglabs.net/as/authorization.oauth2?scope=openid&state=zAIEAMPZxUNHx65O&response_type=code&client_id=__c
0.598121 --> BODY: None
0.833396 <-- state=zAIEAMPZxUNHx65O&code=otXeGyMw4xUMVJA2Ifne_YjHGPoFG2ZGoATY5iNjuyc
0.833651 AuthorizationResponse: {
  "code": "otXeGyMw4xUMVJA2Ifne_YjHGPoFG2ZGoATY5iNjuyc",
  "state": "zAIEAMPZxUNHx65O"
}
0.833942 ------------ AccessTokenRequest ------------
0.834213 --> URL: https://gold.pinglabs.net/as/token.oauth2
0.834218 --> BODY: code=otXeGyMw4xUMVJA2Ifne_YjHGPoFG2ZGoATY5iNjuyc&grant_type=authorization_code
0.834228 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic X19jOjhZaDREZmlpaENZNHNhd1ZoY3FhRFFhbG92bU5tVzFjdGZHRG9OZElOS25SbkMwWnRzMklMdU9GYktnZUR3bW0='}
1.132637 <-- STATUS: 200
1.132676 <-- BODY: {"token_type":"Bearer","expires_in":7200,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImY4MHQwIn0.eyJzdWIiOiJqYnJhZGxleSIsImF1ZCI6Il9fYyIsImp0aSI6IkJQb1NNdlNybWd6T2g3NnVZUm1BbHMiLCJpc3MiOiJodHRwczpcL1wvZ29sZC5waW5nbGFicy5uZXQiLCJpYXQiOjE0MjU1ODE4MzksImV4cCI6MTQyNTU4MjEzOSwiYXV0aF90aW1lIjoxNDI1NTgxNzczfQ.lNCzvtUhttnUTf__7Ji_BN7rhlRhN_tyoowgtDVO2XYUsU4TRue7lGIWut-R8WnpiclgJfFdkzYf7muj1OP5-snhajweXxlfc-n9bBPZAQI8T1qA3dY8yZI_NxypuNTPiZAQMoThWt7KMtl-jKQX1DhuBtv48ihuB5mJbjbyosLWd5HpsPk-A7CpEM_K-jx5u4vd9N1rcCi_nOLa1B4zTi8lFQuuHgKGGHfc0yFWxQFofnhWarz6BOq40DKd7U6BmDrDBgn_oanplUHBzCPqkv0Odrd5XrnOQfdtyMRemvLVDKy1hl7Z5ANXBmiqZn5rEnA4SAbZbn_1bfxYp--hww","access_token":"RLz46LSrXgv4FSaCvp2CsCsa6BS7"}

1.463508 AccessTokenResponse: {
  "access_token": "RLz46LSrXgv4FSaCvp2CsCsa6BS7",
  "expires_in": 7200,
  "id_token": {
    "aud": [
      "__c"
    ],
    "auth_time": 1425581773,
    "exp": 1425582139,
    "iat": 1425581839,
    "iss": "https://gold.pinglabs.net",
    "jti": "BPoSMvSrmgzOh76uYRmAls",
    "sub": "jbradley"
  },
  "token_type": "Bearer"
}
1.464825 ------------ AccessTokenRequest ------------
1.465158 --> URL: https://gold.pinglabs.net/as/token.oauth2
1.465164 --> BODY: code=otXeGyMw4xUMVJA2Ifne_YjHGPoFG2ZGoATY5iNjuyc&grant_type=authorization_code
1.465174 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic X19jOjhZaDREZmlpaENZNHNhd1ZoY3FhRFFhbG92bU5tVzFjdGZHRG9OZElOS25SbkMwWnRzMklMdU9GYktnZUR3bW0='}
1.731834 <-- STATUS: 400
1.731952 ErrorResponse: {
  "error": "invalid_grant",
  "error_description": "Authorization code is invalid or expired."
}
1.733435 [ERROR] ErrorResponse:{'error_description': u'Authorization code is invalid or expired.', 'error': u'invalid_grant'}

Result
FAILED

```





More information about the Openid-specs-ab mailing list