[Openid-specs-ab] Issue #143: Unhelpful error message from OP-UserInfo-RS256 (openid/certification)

Tue Apr 7 17:25:15 UTC 2015

New issue 143: Unhelpful error message from OP-UserInfo-RS256
https://bitbucket.org/openid/certification/issue/143/unhelpful-error-message-from-op-userinfo

Garyl Erickson:

I get "[ERROR] AssertionError:Wrong content-type in header" at the end, but the error doesn't say what it expected or what it found, which makes it rather difficult to understand what's wrong.

```
#!bash

Test info
Profile: {'openid-configuration': 'config', 'response_type': 'id_token+token', 'crypto': 'sign', 'registration': 'dynamic'}
Timestamp: 2015-04-07T17:18:41Z
Test description: RP registers userinfo_signed_response_alg to signal that it wants signed UserInfo returned [Dynamic]
Test ID: OP-UserInfo-RS256
Issuer: https://oidcp.openrock.org:8043/openam/oauth2
Test output

__RegistrationRequest:post__
[check]
	status: INFORMATION
	description: Registration Response
	info: {"application_type":"web","default_max_age_enabled":true,"redirect_uris":["https://op.certification.openid.net:60052/authz_cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"default_max_age":3600,"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=3e186737-0c07-4493-b22a-4e9c716e335a","contacts":["roland.hedberg at umu.se"],"scopes":["phone","address","email","openid","profile"],"client_secret":"96eced3f-fd3b-479d-a17d-3abd600a9eae","client_type":"Confidential","registration_access_token":"d88b76c0-a2b8-420a-ae45-0c4540364117","subject_type":"Public","id_token_signed_response_alg":"HS256","client_id_issued_at":1428427237,"client_id":"3e186737-0c07-4493-b22a-4e9c716e335a","client_secret_expires_at":0,"response_types":["id_token token"]}
__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
[-]
	status: ERROR
	info: Wrong content-type in header

Trace output

0.000272 ------------ DiscoveryRequest ------------
0.000285 Provider info discover from 'https://oidcp.openrock.org:8043/openam/oauth2'
0.000291 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/.well-known/openid-configuration
0.435300 ProviderConfigurationResponse: {
  "acr_values_supported": [
    "3",
    "1"
  ],
  "authorization_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/authorize",
  "check_session_iframe": "https://oidcp.openrock.org:8043/openam/oauth2/connect/checkSession",
  "claims_parameter_supported": false,
  "claims_supported": [
    "zoneinfo",
    "phone_number",
    "address",
    "email",
    "name",
    "locale",
    "family_name",
    "given_name"
  ],
  "end_session_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/endSession",
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "HS512",
    "RS256",
    "HS384"
  ],
  "issuer": "https://oidcp.openrock.org:8043/openam/oauth2",
  "jwks_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/jwk_uri",
  "registration_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "response_types_supported": [
    "token id_token",
    "code token",
    "code token id_token",
    "token",
    "code id_token",
    "code",
    "id_token"
  ],
  "scopes_supported": [
    "phone",
    "address",
    "email",
    "openid",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/access_token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic"
  ],
  "userinfo_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/userinfo",
  "version": "3.0"
}
0.855488 JWKS: {
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "9baf4fb5-a317-4b14-a09c-32e77c19b590",
      "kty": "RSA",
      "n": "AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_",
      "use": "sig"
    }
  ]
}
0.856292 'userinfo_signing_alg_values_supported' not defined in provider configuration
0.856526 ------------ RegistrationRequest ------------
0.856907 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/connect/register
0.856915 --> BODY: {"subject_type": "public", "jwks_uri": "https://op.certification.openid.net:60052/export/jwk_60052.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["implicit"], "userinfo_signed_response_alg": "RS256", "post_logout_redirect_uris": ["https://op.certification.openid.net:60052/logout"], "redirect_uris": ["https://op.certification.openid.net:60052/authz_cb"], "response_types": ["id_token token"], "require_auth_time": true, "default_max_age": 3600}
0.856924 --> HEADERS: {'Content-type': 'application/json'}
1.289448 <-- STATUS: 201
1.289500 <-- BODY: {"application_type":"web","default_max_age_enabled":true,"redirect_uris":["https://op.certification.openid.net:60052/authz_cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"default_max_age":3600,"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=3e186737-0c07-4493-b22a-4e9c716e335a","contacts":["roland.hedberg at umu.se"],"scopes":["phone","address","email","openid","profile"],"client_secret":"96eced3f-fd3b-479d-a17d-3abd600a9eae","client_type":"Confidential","registration_access_token":"d88b76c0-a2b8-420a-ae45-0c4540364117","subject_type":"Public","id_token_signed_response_alg":"HS256","client_id_issued_at":1428427237,"client_id":"3e186737-0c07-4493-b22a-4e9c716e335a","client_secret_expires_at":0,"response_types":["id_token token"]}
1.290151 RegistrationResponse: {
  "application_type": "web",
  "client_id": "3e186737-0c07-4493-b22a-4e9c716e335a",
  "client_id_issued_at": 1428427237,
  "client_secret": "96eced3f-fd3b-479d-a17d-3abd600a9eae",
  "client_secret_expires_at": 0,
  "client_type": "Confidential",
  "contacts": [
    "roland.hedberg at umu.se"
  ],
  "default_max_age": 3600,
  "default_max_age_enabled": true,
  "id_token_signed_response_alg": "HS256",
  "post_logout_redirect_uris": [
    "https://op.certification.openid.net:60052/logout"
  ],
  "redirect_uris": [
    "https://op.certification.openid.net:60052/authz_cb"
  ],
  "registration_access_token": "d88b76c0-a2b8-420a-ae45-0c4540364117",
  "registration_client_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=3e186737-0c07-4493-b22a-4e9c716e335a",
  "response_types": [
    "id_token token"
  ],
  "scopes": [
    "phone",
    "address",
    "email",
    "openid",
    "profile"
  ],
  "subject_type": "Public"
}
1.292748 ------------ AuthorizationRequest ------------
1.293209 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/authorize?nonce=IERiCImG248z&state=16kVgVLEGll17Mgo&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60052%2Fauthz_cb&response_type=id_token+token&client_id=3e186737-0c07-4493-b22a-4e9c716e335a&scope=openid
1.293217 --> BODY: None
4.071103 QUERY_STRING:
4.921066 <-- scope=openid&state=16kVgVLEGll17Mgo&token_type=Bearer&expires_in=1209599&id_token=eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICIzZTE4NjczNy0wYzA3LTQ0OTMtYjIyYS00ZTljNzE2ZTMzNWEiLCAic3ViIjogIk9BdXRoMlVzZXIiLCAiYXRfaGFzaCI6ICJaSnNmOGhVd09ieEhZS3hxSjdSSWhBIiwgImlzcyI6ICJodHRwczovL29pZGNwLm9wZW5yb2NrLm9yZzo4MDQzL29wZW5hbS9vYXV0aDIiLCAib3JnLmZvcmdlcm9jay5vcGVuaWRjb25uZWN0Lm9wcyI6ICJiNDc2ODVmMy1jN2QwLTRhY2MtYTdlNy02NjA1ODNkMzM3YTEiLCAiaWF0IjogMTQyODQyNzI0MCwgImF1dGhfdGltZSI6IDE0Mjg0MjcwNjUsICJleHAiOiAxNDI4NDI3ODQwLCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgIm5vbmNlIjogIklFUmlDSW1HMjQ4eiIsICJyZWFsbSI6ICIvIiwgImF1ZCI6IFsgIjNlMTg2NzM3LTBjMDctNDQ5My1iMjJhLTRlOWM3MTZlMzM1YSIgXSB9.h7C8xD1e6mjQ57UjCzNa6MM1iqA4iRboTXS8izNF4Xo&access_token=eed2d1a8-269a-4aaf-a3bf-3d5fb0b94278
5.344243 AuthorizationResponse: {
  "access_token": "eed2d1a8-269a-4aaf-a3bf-3d5fb0b94278",
  "expires_in": 1209599,
  "id_token": {
    "claims": {
      "at_hash": "ZJsf8hUwObxHYKxqJ7RIhA",
      "aud": [
        "3e186737-0c07-4493-b22a-4e9c716e335a"
      ],
      "auth_time": 1428427065,
      "azp": [
        "3e186737-0c07-4493-b22a-4e9c716e335a"
      ],
      "exp": 1428427840,
      "iat": 1428427240,
      "iss": "https://oidcp.openrock.org:8043/openam/oauth2",
      "nonce": "IERiCImG248z",
      "org.forgerock.openidconnect.ops": "b47685f3-c7d0-4acc-a7e7-660583d337a1",
      "realm": "/",
      "sub": "OAuth2User",
      "tokenName": "id_token",
      "tokenType": "JWTToken"
    },
    "jws header parameters": {
      "alg": "HS256",
      "typ": "JWT"
    }
  },
  "scope": "openid",
  "state": "16kVgVLEGll17Mgo",
  "token_type": "Bearer"
}
5.344862 ------------ UserInfoRequest ------------
5.345123 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/userinfo
5.345129 --> BODY: None
5.345137 --> HEADERS: {'Authorization': 'Bearer eed2d1a8-269a-4aaf-a3bf-3d5fb0b94278'}
5.859551 <-- STATUS: 200
5.859618 Available verification keys: [(u'9baf4fb5-a317-4b14-a09c-32e77c19b590', u'RSA')]
5.859645 Available decryption keys: [('a0', 'RSA'), ('a3', 'EC')]
5.859668 <-- BODY: {"sub":"OAuth2User","updated_at":"1428423850"}
5.860477 [ERROR] AssertionError:Wrong content-type in header

Result
PARTIAL RESULT

```

Responsible: Rohe