[Openid-specs-ab] Issue #139: OP-request-Unsigned specifies wrong response_types in Implicit flow, leading to error (openid/certification)

Garyl Erickson issues-reply at bitbucket.org
Tue Apr 7 05:04:53 UTC 2015 

New issue 139: OP-request-Unsigned specifies wrong response_types in Implicit flow, leading to error
https://bitbucket.org/openid/certification/issue/139/op-request-unsigned-specifies-wrong

Garyl Erickson:

When running the OP-request-Unsigned test using the Implicit flow and response_type=id_token+token, the RegistrationRequest specifies "response_types": ["id_token"] only, but specifies response_type=id_token+token in the AuthorizationRequest, causing it to return "error": "unsupported_response_type".

Also, after the DiscoveryRequest, the test returns:  '%s' not defined in provider configuration.

```
#!bash


Test info
Profile: {'openid-configuration': 'config', 'response_type': 'id_token+token', 'crypto': 'sign', 'registration': 'dynamic'}
Timestamp: 2015-04-07T04:43:59Z
Test description: Support request request parameter with unsigned request [Basic, Implicit, Hybrid, Dynamic]
Test ID: OP-request-Unsigned
Issuer: https://oidcp.openrock.org:8043/openam/oauth2
Test output


[-]
	status: WARNING
	info: OP is not supporting [True] according to 'request_parameter_supported' in the provider configuration
__RegistrationRequest:post__
[check]
	status: INFORMATION
	description: Registration Response
	info: {"application_type":"web","default_max_age_enabled":true,"redirect_uris":["https://op.certification.openid.net:60052/authz_cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"default_max_age":3600,"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=51b3deeb-2557-42d9-adc5-b1b311703171","contacts":["roland.hedberg at umu.se"],"scopes":["phone","address","email","openid","profile"],"client_secret":"aafaf6cc-5f52-4f27-bfe2-cb3b0b316249","client_type":"Confidential","registration_access_token":"da284490-1816-4ec7-8f88-66dce698b513","subject_type":"Public","id_token_signed_response_alg":"HS256","client_id_issued_at":1428381957,"client_id":"51b3deeb-2557-42d9-adc5-b1b311703171","client_secret_expires_at":0,"response_types":["id_token"]}
__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[authn-response-or-error]
	status: WARNING
	description: Checks that the last response was a JSON encoded authentication or error message
	info: Unexpected error response: unsupported_response_type
__X:==== END ====__

Trace output


0.000300 ------------ DiscoveryRequest ------------
0.000311 Provider info discover from 'https://oidcp.openrock.org:8043/openam/oauth2'
0.000317 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/.well-known/openid-configuration
0.421456 ProviderConfigurationResponse: {
  "acr_values_supported": [
    "3",
    "1"
  ],
  "authorization_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/authorize",
  "check_session_iframe": "https://oidcp.openrock.org:8043/openam/oauth2/connect/checkSession",
  "claims_parameter_supported": false,
  "claims_supported": [
    "zoneinfo",
    "phone_number",
    "address",
    "email",
    "name",
    "locale",
    "family_name",
    "given_name"
  ],
  "end_session_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/endSession",
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "HS512",
    "RS256",
    "HS384"
  ],
  "issuer": "https://oidcp.openrock.org:8043/openam/oauth2",
  "jwks_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/jwk_uri",
  "registration_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "response_types_supported": [
    "token id_token",
    "code token",
    "code token id_token",
    "token",
    "code id_token",
    "code",
    "id_token"
  ],
  "scopes_supported": [
    "phone",
    "address",
    "email",
    "openid",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/access_token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "userinfo_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/userinfo",
  "version": "3.0"
}
0.852117 JWKS: {
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "5adbfee6-92b3-40a0-a883-cff5037587a0",
      "kty": "RSA",
      "n": "AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_",
      "use": "sig"
    }
  ]
}
0.852838 '%s' not defined in provider configuration
0.853090 ------------ RegistrationRequest ------------
0.853472 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/connect/register
0.853480 --> BODY: {"subject_type": "public", "jwks_uri": "https://op.certification.openid.net:60052/export/jwk_60052.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["implicit"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60052/logout"], "redirect_uris": ["https://op.certification.openid.net:60052/authz_cb"], "response_types": ["id_token"], "require_auth_time": true, "request_object_signing_alg": "none", "default_max_age": 3600}
0.853489 --> HEADERS: {'Content-type': 'application/json'}
1.296456 <-- STATUS: 201
1.296496 <-- BODY: {"application_type":"web","default_max_age_enabled":true,"redirect_uris":["https://op.certification.openid.net:60052/authz_cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"default_max_age":3600,"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=51b3deeb-2557-42d9-adc5-b1b311703171","contacts":["roland.hedberg at umu.se"],"scopes":["phone","address","email","openid","profile"],"client_secret":"aafaf6cc-5f52-4f27-bfe2-cb3b0b316249","client_type":"Confidential","registration_access_token":"da284490-1816-4ec7-8f88-66dce698b513","subject_type":"Public","id_token_signed_response_alg":"HS256","client_id_issued_at":1428381957,"client_id":"51b3deeb-2557-42d9-adc5-b1b311703171","client_secret_expires_at":0,"response_types":["id_token"]}
1.297124 RegistrationResponse: {
  "application_type": "web",
  "client_id": "51b3deeb-2557-42d9-adc5-b1b311703171",
  "client_id_issued_at": 1428381957,
  "client_secret": "aafaf6cc-5f52-4f27-bfe2-cb3b0b316249",
  "client_secret_expires_at": 0,
  "client_type": "Confidential",
  "contacts": [
    "roland.hedberg at umu.se"
  ],
  "default_max_age": 3600,
  "default_max_age_enabled": true,
  "id_token_signed_response_alg": "HS256",
  "post_logout_redirect_uris": [
    "https://op.certification.openid.net:60052/logout"
  ],
  "redirect_uris": [
    "https://op.certification.openid.net:60052/authz_cb"
  ],
  "registration_access_token": "da284490-1816-4ec7-8f88-66dce698b513",
  "registration_client_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=51b3deeb-2557-42d9-adc5-b1b311703171",
  "response_types": [
    "id_token"
  ],
  "scopes": [
    "phone",
    "address",
    "email",
    "openid",
    "profile"
  ],
  "subject_type": "Public"
}
1.298831 ------------ AuthorizationRequest ------------
1.299620 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/authorize?nonce=bm2AZM55GgCK&request=eyJhbGciOiJub25lIn0.eyJub25jZSI6ICJibTJBWk01NUdnQ0siLCAic3RhdGUiOiAiV2pLZkVRRXJmb3V4UjZtOSIsICJyZWRpcmVjdF91cmkiOiAiaHR0cHM6Ly9vcC5jZXJ0aWZpY2F0aW9uLm9wZW5pZC5uZXQ6NjAwNTIvYXV0aHpfY2IiLCAicmVzcG9uc2VfdHlwZSI6ICJpZF90b2tlbiB0b2tlbiIsICJjbGllbnRfaWQiOiAiNTFiM2RlZWItMjU1Ny00MmQ5LWFkYzUtYjFiMzExNzAzMTcxIiwgInNjb3BlIjogIm9wZW5pZCJ9.&state=WjKfEQErfouxR6m9&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60052%2Fauthz_cb&response_type=id_token+token&client_id=51b3deeb-2557-42d9-adc5-b1b311703171&scope=openid
1.299630 --> BODY: None
1.584650 QUERY_STRING:
2.532022 <-- error=unsupported_response_type&state=WjKfEQErfouxR6m9&error_description=Client does not support this response type.
2.532329 AuthorizationErrorResponse: {
  "error": "unsupported_response_type",
  "error_description": "Client does not support this response type.",
  "state": "WjKfEQErfouxR6m9"
}
2.532631 ==== END ====

Result
WARNING
Warnings:
OP is not supporting [True] according to 'request_parameter_supported' in the provider configuration
Unexpected error response: unsupported_response_type

```

Responsible: Rohe

More information about the Openid-specs-ab mailing list