[Openid-specs-ab] Issue #142: OP-request_uri-Unsigned-Dynamic specifies wrong response_types in Implicit flow, leading to error (openid/certification)
Garyl Erickson
issues-reply at bitbucket.org
Tue Apr 7 06:45:23 UTC 2015
New issue 142: OP-request_uri-Unsigned-Dynamic specifies wrong response_types in Implicit flow, leading to error
https://bitbucket.org/openid/certification/issue/142/op-request_uri-unsigned-dynamic-specifies
Garyl Erickson:
When running the OP-request_uri-Unsigned-Dynamic test using the Implicit flow with response_type=id_token+token, the RegistrationRequest specifies "response_types": ["id_token"] only, but specifies response_type=id_token+token in the AuthorizationRequest, causing it to return "error": "unsupported_response_type".
Also, after the DiscoveryRequest, the test returns: '%s' not defined in provider configuration.
(Incidentally, unlike #139, this unexpected error IS causing the test to fail and set a red failure indicator.)
```
#!bash
Test info
Profile: {'openid-configuration': 'config', 'response_type': 'id_token+token', 'crypto': 'sign', 'registration': 'dynamic'}
Timestamp: 2015-04-07T06:27:16Z
Test description: Support request_uri request parameter with unsigned request [Basic, Implicit, Hybrid, Dynamic]
Test ID: OP-request_uri-Unsigned-Dynamic
Issuer: https://oidcp.openrock.org:8043/openam/oauth2
Test output
__RegistrationRequest:post__
[check]
status: INFORMATION
description: Registration Response
info: {"application_type":"web","default_max_age_enabled":true,"redirect_uris":["https://op.certification.openid.net:60052/authz_cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"default_max_age":3600,"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=9684cedd-218c-48d7-a491-d35ddfeabf76","contacts":["roland.hedberg at umu.se"],"scopes":["phone","address","email","openid","profile"],"client_secret":"723bc4a5-78bf-4d6f-95a2-ba0b82f4aba8","client_type":"Confidential","registration_access_token":"98343f6f-e37b-47cc-960f-636fcc4eed39","subject_type":"Public","id_token_signed_response_alg":"HS256","client_id_issued_at":1428388155,"client_id":"9684cedd-218c-48d7-a491-d35ddfeabf76","client_secret_expires_at":0,"response_types":["id_token"]}
__AuthorizationRequest:pre__
[check-response-type]
status: OK
description: Checks that the asked for response type are among the supported
[check-endpoint]
status: OK
description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[verify-response]
status: ERROR
description: Checks that the last response was one of a possible set of OpenID Connect Responses
info: Got a AuthorizationErrorResponse response
__X:==== END ====__
Trace output
0.000275 ------------ DiscoveryRequest ------------
0.000285 Provider info discover from 'https://oidcp.openrock.org:8043/openam/oauth2'
0.000290 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/.well-known/openid-configuration
0.430571 ProviderConfigurationResponse: {
"acr_values_supported": [
"3",
"1"
],
"authorization_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/authorize",
"check_session_iframe": "https://oidcp.openrock.org:8043/openam/oauth2/connect/checkSession",
"claims_parameter_supported": false,
"claims_supported": [
"zoneinfo",
"phone_number",
"address",
"email",
"name",
"locale",
"family_name",
"given_name"
],
"end_session_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/endSession",
"grant_types_supported": [
"authorization_code",
"implicit"
],
"id_token_signing_alg_values_supported": [
"HS256",
"HS512",
"RS256",
"HS384"
],
"issuer": "https://oidcp.openrock.org:8043/openam/oauth2",
"jwks_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/jwk_uri",
"registration_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register",
"request_parameter_supported": false,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_types_supported": [
"token id_token",
"code token",
"code token id_token",
"token",
"code id_token",
"code",
"id_token"
],
"scopes_supported": [
"phone",
"address",
"email",
"openid",
"profile"
],
"subject_types_supported": [
"public"
],
"token_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/access_token",
"token_endpoint_auth_methods_supported": [
"client_secret_basic"
],
"userinfo_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/userinfo",
"version": "3.0"
}
0.853047 JWKS: {
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"kid": "5adbfee6-92b3-40a0-a883-cff5037587a0",
"kty": "RSA",
"n": "AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_",
"use": "sig"
}
]
}
0.853849 '%s' not defined in provider configuration
0.854082 ------------ RegistrationRequest ------------
0.854459 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/connect/register
0.854466 --> BODY: {"subject_type": "public", "jwks_uri": "https://op.certification.openid.net:60052/export/jwk_60052.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["implicit"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60052/logout"], "redirect_uris": ["https://op.certification.openid.net:60052/authz_cb"], "response_types": ["id_token"], "require_auth_time": true, "request_object_signing_alg": "none", "default_max_age": 3600}
0.854475 --> HEADERS: {'Content-type': 'application/json'}
1.286145 <-- STATUS: 201
1.286183 <-- BODY: {"application_type":"web","default_max_age_enabled":true,"redirect_uris":["https://op.certification.openid.net:60052/authz_cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"default_max_age":3600,"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=9684cedd-218c-48d7-a491-d35ddfeabf76","contacts":["roland.hedberg at umu.se"],"scopes":["phone","address","email","openid","profile"],"client_secret":"723bc4a5-78bf-4d6f-95a2-ba0b82f4aba8","client_type":"Confidential","registration_access_token":"98343f6f-e37b-47cc-960f-636fcc4eed39","subject_type":"Public","id_token_signed_response_alg":"HS256","client_id_issued_at":1428388155,"client_id":"9684cedd-218c-48d7-a491-d35ddfeabf76","client_secret_expires_at":0,"response_types":["id_token"]}
1.286791 RegistrationResponse: {
"application_type": "web",
"client_id": "9684cedd-218c-48d7-a491-d35ddfeabf76",
"client_id_issued_at": 1428388155,
"client_secret": "723bc4a5-78bf-4d6f-95a2-ba0b82f4aba8",
"client_secret_expires_at": 0,
"client_type": "Confidential",
"contacts": [
"roland.hedberg at umu.se"
],
"default_max_age": 3600,
"default_max_age_enabled": true,
"id_token_signed_response_alg": "HS256",
"post_logout_redirect_uris": [
"https://op.certification.openid.net:60052/logout"
],
"redirect_uris": [
"https://op.certification.openid.net:60052/authz_cb"
],
"registration_access_token": "98343f6f-e37b-47cc-960f-636fcc4eed39",
"registration_client_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=9684cedd-218c-48d7-a491-d35ddfeabf76",
"response_types": [
"id_token"
],
"scopes": [
"phone",
"address",
"email",
"openid",
"profile"
],
"subject_type": "Public"
}
1.288493 ------------ AuthorizationRequest ------------
1.289768 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/authorize?nonce=0PYMqytkNeDK&state=2rPCZ0VcipeQkDyn&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60052%2Fauthz_cb&response_type=id_token+token&client_id=9684cedd-218c-48d7-a491-d35ddfeabf76&scope=openid&request_uri=https%3A%2F%2Fop.certification.openid.net%3A60052%2Fexport%2FFxt1MZuo48.jwt
1.289777 --> BODY: None
1.585347 QUERY_STRING:
2.251375 <-- error=unsupported_response_type&state=2rPCZ0VcipeQkDyn&error_description=Client does not support this response type.
2.251677 AuthorizationErrorResponse: {
"error": "unsupported_response_type",
"error_description": "Client does not support this response type.",
"state": "2rPCZ0VcipeQkDyn"
}
2.251965 ==== END ====
Result
FAILED
```
Responsible: Rohe
More information about the Openid-specs-ab
mailing list