[Openid-specs-ab] Issue #75: expected behavior for OP-request-Unsigned request_parameter_supported=false? (openid/certification)

Brian Campbell issues-reply at bitbucket.org
Thu Mar 5 20:20:57 UTC 2015


New issue 75: expected behavior for OP-request-Unsigned request_parameter_supported=false?
https://bitbucket.org/openid/certification/issue/75/expected-behavior-for-op-request-unsigned

Brian Campbell:

What is the expected behavior for OP-request-Unsigned when the request object parameter isn't supported by the OP/AS?

Currently our OP doesn't support the request object parameter and indicates this in its .well-known/openid-configuration with "request_parameter_supported": false. It responds with a request_not_supported error when a request parameter is present on the authenticate request, which is a spec MUST (second paragrah at http://openid.net/specs/openid-connect-core-1_0.html#RequestObject) when "request_parameter_supported": false. 

What's a OP supposed to do here? This test shows up on the default testing page @ https://op.certification.openid.net:60211



```
#!text


Test info
Profile: {'profile': 'C', 'sub': 'none', 'register': False, 'discover': True, 'extra': False}
Test ID: OP-request-Unsigned
Issuer: https://gold.pinglabs.net
Test output


__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[verify-authn-response]
	status: ERROR
	description: Checks that the last response was a JSON encoded authentication message
	info: Expected an authorization response

Trace output


0.000281 ------------ DiscoveryRequest ------------
0.000293 Provider info discover from 'https://gold.pinglabs.net/'
0.000299 --> URL: https://gold.pinglabs.net/.well-known/openid-configuration
0.284526 ProviderConfigurationResponse: {
  "authorization_endpoint": "https://gold.pinglabs.net/as/authorization.oauth2",
  "claim_types_supported": [
    "normal"
  ],
  "claims_parameter_supported": false,
  "claims_supported": [
    "address",
    "birthdate",
    "email",
    "email_verified",
    "family_name",
    "gender",
    "given_name",
    "locale",
    "middle_name",
    "name",
    "nickname",
    "phone_number",
    "picture",
    "preferred_username",
    "profile",
    "sub",
    "website",
    "zoneinfo"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ],
  "issuer": "https://gold.pinglabs.net",
  "jwks_uri": "https://gold.pinglabs.net/pf/JWKS",
  "ping_end_session_endpoint": "https://gold.pinglabs.net/idp/startSLO.ping",
  "ping_revoked_sris_endpoint": "https://gold.pinglabs.net/pf-ws/rest/sessionMgmt/revokedSris",
  "registration_endpoint": "https://gold.pinglabs.net/idp/client-registration.openid",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "require_request_uri_registration": true,
  "response_modes_supported": [
    "fragment",
    "query",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token"
  ],
  "revocation_endpoint": "https://gold.pinglabs.net/as/revoke_token.oauth2",
  "scopes_supported": [
    "product",
    "phone",
    "pingone-native-application",
    "email",
    "address",
    "admin",
    "edit",
    "openid",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://gold.pinglabs.net/as/token.oauth2",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "userinfo_endpoint": "https://gold.pinglabs.net/idp/userinfo.openid",
  "version": "3.0"
}
1.151509 JWKS: {
  "keys": [
    {
      "crv": "P-521",
      "kid": "f80st",
      "kty": "EC",
      "use": "sig",
      "x": "AK2REJpgFwKoWTu-6QYaSQTCRg08UnhgI-vr6mIgNX-enTAcv26sOP4vIXwTdIB7LklAV3h1072QvGHgiPFYJsg5",
      "y": "AEzJoN5JN8fpFu93FpNHPxkqFiEaPn7rhvaMNmGXJzj-3zliFU_g2yFqLppC1lTf1Un1o-mnd0vvQVgrflwZjSI8"
    },
    {
      "crv": "P-384",
      "kid": "f80su",
      "kty": "EC",
      "use": "sig",
      "x": "L5VGrkEWu2RhkDkXtQr5DAfqSxza3COTI8Tca7hb31BFk1c5nYkZdE0F5OP4nw_G",
      "y": "y8aD3F2jJF3qlthuYsANfHwhnUw-9YTbtLsNaHvop4fxGzb9Ra-yhNF0jfHtgYll"
    },
    {
      "crv": "P-256",
      "kid": "f80sv",
      "kty": "EC",
      "use": "sig",
      "x": "BHiXkFQUaUjiX62-OU9UtQpwni5_ef_0eC7FlOzoutY",
      "y": "WfTfWE9Ns31RiiBivWohmSnBKTF1bHndk--gErZDqOY"
    },
    {
      "e": "AQAB",
      "kid": "f80sw",
      "kty": "RSA",
      "n": "grO1Q2_XEaknnQzLCDAVYe4spCQMbolNBbqTtwfRCOhS2w4o2NiIvYM5_PDR7jiEWiFC0blgR_eddopxpQrmUy60zbYelzD6byxRa29-PnQgjeJZO2o8QbSCkRRORidZI9MAGsPwfl80f9UBZT0pmlkbEdhlgGPk7b-v_KKseIDTN-lJL9-Jxgbr9XpNoUNEl8k5zpPLLfcmpy5rwa29Ch9m2OAMcxn3xb7hR9toyw8R_ULL7Rd9JGQlxcmnrsL_ah7jSCF-ObVV-CC53QpLjlpTjGDygok_zi5OpOBKHIIIcEOu5tJFm-jCnMTd-2SymcjmHOQTnedmU27nMz5hPw",
      "use": "sig"
    },
    {
      "crv": "P-521",
      "kid": "f80sx",
      "kty": "EC",
      "use": "sig",
      "x": "Aez5kFxe9_mnG4umHdcgJLLsCW308D0n3P3-8DqiKh1NnFvBjsP04rZpDTTw-_N7j0JJFx0dQNRArTywdmsdsbu9",
      "y": "AYyIXt3ZqZxUvZskSpCwgLjnjqEuQZuyVgd35dayB77-To-14sIEA0fd00rp1yB1yzcoMXcITgawgOy9UWMXByoW"
    },
    {
      "crv": "P-384",
      "kid": "f80sy",
      "kty": "EC",
      "use": "sig",
      "x": "O1mLea6k0ykLm1wWxvIWZUzUzJC91h8Ex6_jPAv5dnI6qoKXFTL90R-u-hl93VJ6",
      "y": "ckBiXpdnnp_CbuCPJuLGPG4G--dyeqV_WHZ6kIBQQJqPVlTD0k_qEmWsI2GxwyKz"
    },
    {
      "crv": "P-256",
      "kid": "f80sz",
      "kty": "EC",
      "use": "sig",
      "x": "NXwMQZJRzPDtSVbDT_I8S7s_Y59UFR6cQw5jWOntTwg",
      "y": "j2FJO6YSshDt8W0jM-WBeKZfwY28LLN0Nlu0KM2wc4Y"
    },
    {
      "e": "AQAB",
      "kid": "f80t0",
      "kty": "RSA",
      "n": "t3W3gGCC1X_7X-wIH8OszWvyGJkjXBBebH2csCPws7IsMqLy1Zez8qhNHrdnRDlsOLnuvOIzM2GTDa_iV29btN3CFd3TSjC74LsP2Z_jO41ajkW5YevV87gRgPB1_mHE4dzbFBqt24v1u90Pxv68ZpXX2EekVvpMEqIZwtZJApWBTWL_ovzp-Cyy0p4OG3SxEIM63Hs_2YT0Vlc5RvpJYwMSrQsRojdHvJUEWa2HLDSHUBSytWQKg2g2SJ97Wc4yLWNQ6gTN2IN0UHq3n_x82xmM4_M-c5yt3pVZwNFnFIPkscnIQtaRBUFbabyFMKMS9idvZTLhVq53pHAL3epDMQ",
      "use": "sig"
    },
    {
      "crv": "P-521",
      "kid": "f80t1",
      "kty": "EC",
      "use": "sig",
      "x": "AKCEcGch57ku9MolqQ1_0RDXi2GCp93SJQiY1gW_p3B-5uS9MpS8_GAwHDIyCH1skS2AI-SVtDzEjPyW9kbomnQ0",
      "y": "AXKxpV0Wr0L-U3_ZIy-y6WzNo1NpAsAotj43NqCQFixIPUaUZxx1yOGLlAOH93AJtRf0h8GJL1vYPIFqxVVZ8vQW"
    },
    {
      "crv": "P-384",
      "kid": "f80t2",
      "kty": "EC",
      "use": "sig",
      "x": "H0HJ3Llc_MtTbNYqrySr6AvlbwZfmezz2_F7ZJcQLil0ihT5yYunKdvkGu67eE0j",
      "y": "kCZmV4Ed-ijHsAQ-cXkfAb6uqXhg2LHJf7mBqRcRj5CtKL9BdJduRX3xhGKWaFyP"
    },
    {
      "crv": "P-256",
      "kid": "f80t3",
      "kty": "EC",
      "use": "sig",
      "x": "dkDYvnKf2NTCOrvsMP3aFnMfKuF2mlMM3jApkiCPO68",
      "y": "5SjBt8pY2kt21hnOHWojXkwEpH5oI57G0_miL0MuS-0"
    },
    {
      "e": "AQAB",
      "kid": "f80t4",
      "kty": "RSA",
      "n": "0NHuJ53xo18FiJVgwlPPKkWoW2rfa3JR7wUsDxmKmk-Blwog_9i0VZe0yYYBEB_G3Kuq1BJ1oEtfx3WTJKhL2D1mFftbOEM_VggmTlZNq-M_7yIhIdoe92L9As___3VHClf_fwysxTj_gTo6JHDHEw0dhExrQH6Jz-GykIDv6MdcoaXGdXJ9-3EwrpsUF1X-9cw1d2rrvr44B2k0v0EBj6fxZ55cF90Ev6-3Q4UMCE6uXnPnzEyNjnMyplHPmaWAfCWHF9wZmlQNmoAX4TrR1dkKITYagjS7B_xKeTli3vNVxkofJ5Ptc2axXoriTv6igGpS75tH7Fzn-PO_A4X7Sw",
      "use": "sig"
    }
  ]
}
1.152317 ------------ AuthorizationRequest ------------
1.152930 --> URL: https://gold.pinglabs.net/as/authorization.oauth2?scope=openid&state=0DOYfI0zUQjCx6i3&request=eyJhbGciOiJub25lIn0.eyJzY29wZSI6ICJvcGVuaWQiLCAic3RhdGUiOiAiMERPWWZJMHpVUWpDeDZpMyIsICJyZXNwb25zZV90eXBlIjogImNvZGUiLCAiY2xpZW50X2lkIjogIl9fYyJ9.&response_type=code&client_id=__c
1.152937 --> BODY: None
1.316611 <-- error=request_not_supported&state=0DOYfI0zUQjCx6i3&error_description=processing+of+the+request+parameter+is+unsupported
1.316865 AuthorizationErrorResponse: {
  "error": "request_not_supported",
  "error_description": "processing of the request parameter is unsupported",
  "state": "0DOYfI0zUQjCx6i3"
}

Result
FAILED

```





More information about the Openid-specs-ab mailing list