[Openid-specs-ab] Issue #184: OP code-flow decryption errors (openid/certification)

Casper Biering issues-reply at bitbucket.org
Thu Nov 5 16:06:38 UTC 2015


New issue 184: OP code-flow decryption errors
https://bitbucket.org/openid/certification/issues/184/op-code-flow-decryption-errors

Casper Biering:

I'm having problem getting the OP certification to decrypt my encrypted id_tokens or encrypted userinfo endpoint claims when using the code-flow. If I'm using any of the implicit or hybrid flows the OP certification decrypts the id_token without any problems.

The errors I'm getting are:


```
25.687539 ------------ UserInfoRequest ------------
25.687826 --> URL: https://cb1.www3.netamia.net/idp/oidc/userinfo/
25.687833 --> BODY: None
25.687843 --> HEADERS: {'Authorization': u'Bearer 0cd78e587ac9fbb6b0cf91207fbde5cd91b14b46'}
26.673413 <-- STATUS: 200
26.673492 Available verification keys: [(u'demo-rsa-sig-1', u'RSA'), (u'demo-ec-sig-1', u'EC'), (u'demo-rsa-sig-2', u'RSA'), (u'demo-ec-sig-2', u'EC')]
26.673524 Available decryption keys: [('a0', 'RSA'), ('a3', 'EC')]
26.673658 <-- BODY: eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiYTAifQ.TLMWAQ9aB0yi4wahqIwJ6T-ciT09YfN7_HgvztGHAbLzBj1fO05McQ7UZfYW2rVfYLEMPslM9x7XKZJse35eNxXlmjgLVLhSw3Vqag7JrIprM6DymlI_vMUyt3g4_IUcA1Plfwx0kAdoHdJoTnVbhkUf_qX18MmCkAiFglSq5JXXzp24hyzm8ACyEQKrS72M04sD_vI0rnfZG61zbPTIsY5Bh5Cr_hCWmF1ugUxty2BvlRUs7fNn_Lu9lE6t3SYejGH1aZgkMuBC3ak97wA-AHt8CjwV36FQGY8l4VesIbcKx0j1_Ye0X9ViOTdqvTm1wxWTVTihJTNsZOzRRkeUHw.qQI2ROMTgwkB9drx9xnIvg.PgKBzIoHjm0IJeZk0Omjd00YBjcJiynNwHRuA09cRVl7UtDAF7h4jgWCKLcBzLKR981coXSsRGrjfj-JgjACO0rErbYKlBWaUqkvMfJH1R0RsEtI1iRDfOMa5vtNEOgnMgqcGytXexVP7oqz4Yr7y6kjVip9c9xB8wqo-hpS8XlLkindfNs2saN6uvzr8o3SzciUzZ4AqyJynWWD-KDVPj87hc0q4uLKCcggEZUoBu8EhPPyvlawNnT9uyx7wi6oQ6gQ2MtCr11-pYmLEgWtJ04XKV5onEwJWO0T1Tnlw9iFlEZB1soC7yoUnO8-QVfwfLy0PrO7BcqZOUBF_xJP2IswOzMnYbumAJEfwmGXd2WfsTreroK7qIqPnbuaHIIkvAfUHUyrs0vFZHIaq6BlPYtomfIyOIAjdCxIn1LvwcGEsougRHHpvN_wn8CngHuShfP5FsqDuOhvVQGhA1u_C0SEFpByySvsA7HOfD9OSjhjmXg1BgSBMKK97qOj8tkOLf3-UtZdR2qBr9wFj9mRrRJWe
 uCIV_K1-DMt8lDUrm4TLgCSobM0HX5k7RvYiD6n_-7rIM_EYSulpRFLfCBrDedxsssTRIh-7-yrrFAwVQpMCmrHEtxFDHctEmsv-LBADK88iX2aRgNbqIl84j1eMoOUEDc0PkeQhIaRhJW9KzgwjsADo6jDvf1PdKBBihQBj2LH-QZiW9lFWgLeYxQ4-JYaCmU_Fhj5y3XgCuMTzMyqPSnifuYRXv9njsYmBTcC06mtZ7D7mqc5rse6l78aHA.Y7cYwDIXqH59tUOVaqIyxA
26.709570 JWT header: 
26.709586 UserInfo: {
  "claims": {
    "locale": "en-US",
    "sub": "2e399f2094555c724962e0a1d9f94c57e2da1d01ef9f1a17f0c001de123162a56d5d92bf97f0abde",
    "zoneinfo": "Europe/Copenhagen"
  },
  "jwe header parameters": {
    "alg": "RSA1_5",
    "enc": "A128CBC-HS256",
    "kid": "a0"
  },
  "jws header parameters": {
    "alg": "RS256",
    "kid": "demo-rsa-sig-2"
  }
}
26.715592 ==== END ====
26.727081 [ERROR] TypeError:string indices must be integers, not str
```

```
6.333802 ------------ AccessTokenRequest ------------
6.334194 --> URL: https://cb1.www3.netamia.net/idp/oidc/token/
6.334201 --> BODY: code=9504b2586400659330cb7c61f3cb70b8eb3e0ea1&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60113%2Fauthz_cb
6.334211 --> HEADERS: {'Content-Type': 'application/x-www-form-urlencoded', 'Authorization': u'Basic MzczOmFzZGFzZGFzZGFzZA=='}
6.850307 <-- STATUS: 200
6.850480 <-- BODY: {
    "access_token": "b276d50c5ff5f9f385be45d911881c1521236357",
    "expires_in": 3600,
    "token_type": "Bearer",
    "scope": "openid",
    "id_token": "eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2Iiwia2lkIjoiYTAifQ.WN6_Oo1V6m_uOaHh96vql7IKa15JA7hI4m2ZiPvx1u2XggibPn7JDjzB11_j93rswXwnksRV29LJpP_8-qJINwiYdNNlfoUJG9BMOwOE-9iXKVD3zEg1jVAGoI49_BkT6o6nITqKu7mcZUIkdSg4WefhlW8GA4qU11ej3gv7Xb3r5Ujfcw8hCBfntSXCFPjglk-N3pfjslVfys8cDRZn9SfwAlkWlCYLhWr6N5UbA2f6kb_UaBSQw_iyC93MzXQpcoM84XeJfHbLhFpphsA8p55O8GKmeImYppyACW55DM3TJ1leu9xuGQmCfBCSGhtbm-p8jFJ-Ydyq9GJ5G1ACqg.mdYbtpC-Iw2_3xIbjo3khA.n9O9zGlk0u-92KvjY8t-GaYSmiaBPnf3lKe5tAuSLC0SpesRInAb8eNd89F93EDbL2mi4tzoFnv9wSLh7FbivCOLGr3aXd6FRhkOEZFMFTiLFSLi2Izl6ys3kCEQeL6vKCYN1fKURXtLNRlI-bzhNyRqBw5rDXr8DD2kK37tKschfFM5V75kdJKBmPxorA4WT4C1jywprbrMMYFcZ55ycEIto0k7Q3pZGkN1eFmuhpctu5161BrNhRD6y9YIqKnd2Vj8J_oxRMQIBh5L-RWN27-0BbO5NKFBQK9AKPBbmvTXG7Iq36mhRc0GdyOV7YxJFscEThpeKI3OAXxOjK7AHxv42Gop-BBZu-Ai6ATYQsYqIthdCCv-m_7N89_1ReATPnDHZrY6bkIk3LTtgl_ArVF49pSSPMb6mYw2dznlU9M-S3BAohNAyyMlWr83_hi4E9r6GUd8MyZDaMHZhhmfczGSQlDamz034OEOEnZNf2UmNSoY89yVWrHEcygbzeJc7DSAH7pupMf8FLAK5fZCMQuezl4Q
 hsMRbjKwV0nV8ofR0xjYioNtn4M"
}
6.878973 [ERROR] IndexError:list index out of range
```

See the attached test infos for more detailed info.




More information about the Openid-specs-ab mailing list