[Openid-specs-ab] Issue #77: wrong login_hint value? (openid/certification)

Brian Campbell issues-reply at bitbucket.org
Thu Mar 5 21:08:38 UTC 2015


New issue 77: wrong login_hint value?
https://bitbucket.org/openid/certification/issue/77/wrong-login_hint-value

Brian Campbell:

When setting up at https://op.certification.openid.net:60000/ I provided a value of "pdingle" for the "Login hint" text box.  However, the test OP-Req-id_token_hint is using the value "bc", which I might have used in one of several failed setup attempts in the last week or so. But this time was definitely set up with "pdingle" and not "bc" so there seems to be some kind of cross-configuration data defect or something. 


Downloaded configuration from 60000 right after setting up https://op.certification.openid.net:60211
```
#!text

{"ui_locales":"fr en","acr_values":"2 1","preferences":{"token_endpoint_auth_method":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt"],"subject_type":"public","grant_types":["authorization_code","implicit","refresh_token","urn:ietf:params:oauth:grant-type:jwt-bearer:"],"userinfo_signed_response_alg":["RS256","RS384","RS512","HS512","HS384","HS256"],"id_token_signed_response_alg":["RS256","RS384","RS512","HS512","HS384","HS256"],"response_types":["code","token","id_token","token id_token","code id_token","code token","code token id_token"],"require_auth_time":true,"request_object_signing_alg":["RS256","RS384","RS512","HS512","HS384","HS256"],"default_max_age":3600},"keys":[{"use":["enc"],"type":"RSA","key":"../keys/second_enc.key"},{"use":["sig"],"type":"RSA","key":"../keys/second_sig.key"},{"type":"EC","use":["sig"],"crv":"P-256"},{"type":"EC","use":["enc"],"crv":"P-256"}],"login_hint":"pdingle","behaviour":{"profile":"C.T.F.ns.","scope":["ope
 nid","profile","email","address","phone"]},"client_registration":{"client_secret":"8Yh4DfiihCY4sawVhcqaDQalovmNmW1ctfGDoNdINKnRnC0Zts2ILuOFbKgeDwmm","redirect_uris":["https://op.certification.openid.net:60211/authz_cb"],"client_id":"__c"},"claims_locales":"en","srv_discovery_url":"https://gold.pinglabs.net/"}

```

Test info log from https://op.certification.openid.net:60211/test_info/OPReq-login_hint
```
#!text


Test info
Profile: {'profile': 'I', 'sub': 'none', 'register': False, 'discover': True, 'extra': False}
Test ID: OP-Req-login_hint
Issuer: https://gold.pinglabs.net
Test output


__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[verify-authn-response]
	status: OK
	description: Checks that the last response was a JSON encoded authentication message

Trace output


8.445119 ------------ DiscoveryRequest ------------
8.445132 Provider info discover from 'https://gold.pinglabs.net/'
8.445138 --> URL: https://gold.pinglabs.net/.well-known/openid-configuration
8.750493 ProviderConfigurationResponse: {
  "authorization_endpoint": "https://gold.pinglabs.net/as/authorization.oauth2",
  "claim_types_supported": [
    "normal"
  ],
  "claims_parameter_supported": false,
  "claims_supported": [
    "address",
    "birthdate",
    "email",
    "email_verified",
    "family_name",
    "gender",
    "given_name",
    "locale",
    "middle_name",
    "name",
    "nickname",
    "phone_number",
    "picture",
    "preferred_username",
    "profile",
    "sub",
    "website",
    "zoneinfo"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ],
  "issuer": "https://gold.pinglabs.net",
  "jwks_uri": "https://gold.pinglabs.net/pf/JWKS",
  "ping_end_session_endpoint": "https://gold.pinglabs.net/idp/startSLO.ping",
  "ping_revoked_sris_endpoint": "https://gold.pinglabs.net/pf-ws/rest/sessionMgmt/revokedSris",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "require_request_uri_registration": true,
  "response_modes_supported": [
    "fragment",
    "query",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token"
  ],
  "revocation_endpoint": "https://gold.pinglabs.net/as/revoke_token.oauth2",
  "scopes_supported": [
    "product",
    "phone",
    "pingone-native-application",
    "address",
    "email",
    "admin",
    "edit",
    "openid",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://gold.pinglabs.net/as/token.oauth2",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "userinfo_endpoint": "https://gold.pinglabs.net/idp/userinfo.openid",
  "version": "3.0"
}
9.012053 JWKS: {
  "keys": [
    {
      "crv": "P-521",
      "kid": "co4n9",
      "kty": "EC",
      "use": "sig",
      "x": "ARnqMCX2Sfil25tYE4UQgEcQNh03GF2mMq28wxrWyj31iMl8BMmAlXyQXMfO02uliZg98btrPTKbhzT2srITZR5A",
      "y": "AYOcsIIGOOcJcf2JOxgc-mh1HgbSXz-YUbs0yig2W6MuaFYmza76pplu0NyF5XcFnB5TYchCmNyOHgkRMAjZqgdR"
    },
    {
      "crv": "P-384",
      "kid": "co4na",
      "kty": "EC",
      "use": "sig",
      "x": "XI8DDInnvj1gizZ7nqLWmYH2czZPX245Lp1UMLcV07szcCQINQT85fWmxgmNeGED",
      "y": "0YAhSbTCYYaTwgUAKdwGZG0PWQjW8h8dNoM_Bhn9cAnISTxrY-uSueQ9N2-lLxKj"
    },
    {
      "crv": "P-256",
      "kid": "co4nb",
      "kty": "EC",
      "use": "sig",
      "x": "_trh7hHHjJdmjjDzqwmkcPZlsUqxuE6w2_QPmW5XtiQ",
      "y": "M9PDnUsEewr5Ffz9NOdTf2tzP4FxoBrmxI72Cy4l_Ew"
    },
    {
      "e": "AQAB",
      "kid": "co4nc",
      "kty": "RSA",
      "n": "ozu0NGL_oDdqj3alpRCxfIElHOtgZe4G7Sd0ZP7ELkYd2JhKKc2DhY8yd4arK_7xyuTy_36VNttyd7tEiZ3n95ZK8oyftvEabcL2Z1jbHZRGrH2yVfXM-rjBLsiYlfI1b5b8F1ufmHbQn3YAo90HLQWtygMPy8H02vUtYGIrtOxKlkiMiByKsQCDYhVhfqCq_pEZQn3VQdoXBn26cumyr3fDnBmN9fB9EP-LmKe0kdphb8qf2FX0GqTkXkfgmkdIP94YdYfr_5bN_0__QqbnOhcipF44lF-_tO7myUSVYsqlRXOamZz4ze3wu_d3HflNLk-fd29MDoPbU8_ADaKVkw",
      "use": "sig"
    },
    {
      "crv": "P-521",
      "kid": "co4nd",
      "kty": "EC",
      "use": "sig",
      "x": "ACSKiUJ06yMqTrWzUAFMwGPUQEcGY1uqe5tDjQ12dpnp8LGVAWCBe562qDNlKpgPN8OhpeQQ4hfuUeSGoE6a-Ivt",
      "y": "AZi9SiH9KCgb5X_-0_Jz6UO9Wb7r7nSm-keUPJB7ADhnTz1J6Hey86fkN0kUIzY4HekqoqCdO0nH2wnPUG_yWTLI"
    },
    {
      "crv": "P-384",
      "kid": "co4ne",
      "kty": "EC",
      "use": "sig",
      "x": "mdoSHMMbvKO0k5WUtl7i4oAP0x6X_gdbMmswAbbmI-rdiapCOAxnJlcf6rcnOvCQ",
      "y": "pWPfYhrqWRrh-q5wW2TPd7g0QxmQD2Sv4RW0OG-ts0R0B_E0MyNaSiao7SFFGqOX"
    },
    {
      "crv": "P-256",
      "kid": "co4nf",
      "kty": "EC",
      "use": "sig",
      "x": "IGQYliwph36H_OpnGySnAbUD6-vOp4ca_7yQ0Wgw6FA",
      "y": "lSzTm_mTQjdgESMUSX9LXiM8R08yiQ40xFQdk9RpCM4"
    },
    {
      "e": "AQAB",
      "kid": "co4ng",
      "kty": "RSA",
      "n": "hxDN-256T23rgaQFh5Pmg5A26eLLI0_u5_z1Gn_hb1bZAnhgwgmevRKSjxkQhb-UeiRgTLXmUxt-5Io04pTxXaVTL5xTPeYSwMZDBg9OM2Y1jWHSXa5g1mzaefWQQ-T0N6-BTZRa8gpEigbIQwlcHGnZpzb_qbcSAQhppUF4hvDHWF4hkCbKQR2dmzWhL7u2XP0XkjwRhBQfYIwgETVlDgGl4EuLU_Q121m_Zi2JYAYgONEpWnl3cE9ktrimcS7Nm5eB2ZVPxVRCi6U0Z921v_GDpQ2f-wEtLo_jPzz_P-a1z3PATQbZHOKBV8PjHhqZtKgPgNp81AWyHS4sBUFMsQ",
      "use": "sig"
    }
  ]
}
9.012737 ------------ AuthorizationRequest ------------
9.013141 --> URL: https://gold.pinglabs.net/as/authorization.oauth2?nonce=VT817KpvvUJ2&login_hint=bc&state=jmJgzcTHKftjPyOG&response_type=id_token&client_id=__c&scope=openid
9.013148 --> BODY: None
19.298624 <-- state=jmJgzcTHKftjPyOG&id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImNvNG5nIn0.eyJzdWIiOiJqYnJhZGxleSIsImF1ZCI6Il9fYyIsImp0aSI6Im92aDBmZllONDhVWWUybmw1Sk0yclgiLCJpc3MiOiJodHRwczpcL1wvZ29sZC5waW5nbGFicy5uZXQiLCJpYXQiOjE0MjU1ODkyNDIsImV4cCI6MTQyNTU4OTU0Miwibm9uY2UiOiJWVDgxN0twdnZVSjIiLCJhdXRoX3RpbWUiOjE0MjU1ODkyNDJ9.GWP_s0wmxY0N194uwBA_P7znGX45WtpQg-uPq3QhjkzA--YFXdA3Lc00qGwvpcW1N50pJGmJR3scj3M34VKu6asH-tLhoIAlpBD0h05l8jpKIlS5l9nBavPQvMIjX9yUUUIa9-fWqguhfTZy7lVOrJKaFPKegG6ySrKHj45EercBplkXAjHXawoqTdRuKj2MNtnqI3jeGLONW6kc47Evx_jGVp0AInHbwL8-J4Zxj0V3fLUvXTAFxqSHAMq9APbyneCNA5beBLadCAowwJB3NARz1_cg-CJT8qyYM1mIDGH7SjppVCZOGDUy0JwE72UQ7Tc096xgu5QTT_UcRuhL2g
19.591002 AuthorizationResponse: {
  "id_token": {
    "aud": [
      "__c"
    ],
    "auth_time": 1425589242,
    "exp": 1425589542,
    "iat": 1425589242,
    "iss": "https://gold.pinglabs.net",
    "jti": "ovh0ffYN48UYe2nl5JM2rX",
    "nonce": "VT817KpvvUJ2",
    "sub": "jbradley"
  },
  "state": "jmJgzcTHKftjPyOG"
}

Result
PASSED

```





More information about the Openid-specs-ab mailing list