[Openid-specs-ab] Issue #146: OP-request-Unsigned specifies wrong response_types in Implicit flow with id_token, leading to error (openid/certification)

Garyl Erickson issues-reply at bitbucket.org
Fri Apr 10 07:18:31 UTC 2015 

New issue 146: OP-request-Unsigned specifies wrong response_types in Implicit flow with id_token, leading to error
https://bitbucket.org/openid/certification/issue/146/op-request-unsigned-specifies-wrong

Garyl Erickson:

When running the OP-request-Unsigned test using the Implicit flow with response_type=id_token, the RegistrationRequest specifies "response_types": ["code"] instead of ["id_token"], but specifies response_type=id_token (as expected) in the AuthorizationRequest, causing it to return "error": "unsupported_response_type".

Incidentally, this unexpected error is not causing the test to fail, just output a warning.


```
#!bash


Test info
Profile: {'openid-configuration': 'config', 'response_type': 'id_token', 'crypto': 'sign', 'registration': 'dynamic'}
Timestamp: 2015-04-10T07:11:51Z
Test description: Support request request parameter with unsigned request [Basic, Implicit, Hybrid, Dynamic]
Test ID: OP-request-Unsigned
Issuer: https://oidcp.openrock.org:8043/openam/oauth2
Test output


[-]
	status: WARNING
	info: OP is not supporting True according to 'request_parameter_supported' in the provider configuration
__RegistrationRequest:post__
[check]
	status: INFORMATION
	description: Registration Response
	info: {"public_key_selector":"jwks_uri","application_type":"web","default_max_age_enabled":true,"redirect_uris":["https://op.certification.openid.net:60052/authz_cb","https://op.certification.openid.net:60052/cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"token_endpoint_auth_method":"client_secret_basic","default_max_age":3600,"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=08df8543-1100-4c35-859a-df91819f293a","contacts":["roland.hedberg at umu.se"],"scopes":["phone","address","email","openid","profile"],"client_secret":"caea7fe0-c595-47ae-a6fe-e28d8c6c48d9","client_type":"Confidential","registration_access_token":"8ae29811-c59b-4256-a32e-a7cdacec5c65","jwks_uri":"https://op.certification.openid.net:60052/export/jwk_60052.json","subject_type":"public","id_token_signed_response_alg":"HS256","client_id_issued_at":1428650037,"client_id":"08df8543-1100-4c35-859a-df91819f293a","client_secret
 _expires_at":0,"client_name":null,"response_types":["code"]}
__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[authn-response-or-error]
	status: WARNING
	description: Checks that the last response was a JSON encoded authentication or error message
	info: Unexpected error response: unsupported_response_type
__X:==== END ====__

Trace output


0.000311 ------------ DiscoveryRequest ------------
0.000322 Provider info discover from 'https://oidcp.openrock.org:8043/openam/oauth2'
0.000328 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/.well-known/openid-configuration
0.429849 ProviderConfigurationResponse: {
  "acr_values_supported": [
    "3",
    "1"
  ],
  "authorization_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/authorize",
  "check_session_iframe": "https://oidcp.openrock.org:8043/openam/oauth2/connect/checkSession",
  "claims_parameter_supported": false,
  "claims_supported": [
    "zoneinfo",
    "phone_number",
    "address",
    "email",
    "name",
    "locale",
    "family_name",
    "given_name"
  ],
  "end_session_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/endSession",
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "HS512",
    "RS256",
    "HS384"
  ],
  "issuer": "https://oidcp.openrock.org:8043/openam/oauth2",
  "jwks_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/jwk_uri",
  "registration_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "require_request_uri_registration": false,
  "response_types_supported": [
    "token id_token",
    "code token",
    "code token id_token",
    "token",
    "code id_token",
    "code",
    "id_token"
  ],
  "scopes_supported": [
    "phone",
    "address",
    "email",
    "openid",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/access_token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "userinfo_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/userinfo",
  "version": "3.0"
}
0.862527 JWKS: {
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "0ddde4ba-8f99-4f1b-a19e-20dbf01169da",
      "kty": "RSA",
      "n": "AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_",
      "use": "sig"
    }
  ]
}
0.863268 'request_object_signing_alg_values_supported' not defined in provider configuration
0.863506 ------------ RegistrationRequest ------------
0.863885 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/connect/register
0.863892 --> BODY: {"subject_type": "public", "jwks_uri": "https://op.certification.openid.net:60052/export/jwk_60052.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["authorization_code"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60052/logout"], "redirect_uris": ["https://op.certification.openid.net:60052/authz_cb", "https://op.certification.openid.net:60052/cb"], "response_types": ["code"], "require_auth_time": true, "request_object_signing_alg": "none", "default_max_age": 3600}
0.863901 --> HEADERS: {'Content-type': 'application/json'}
1.314481 <-- STATUS: 201
1.314517 <-- BODY: {"public_key_selector":"jwks_uri","application_type":"web","default_max_age_enabled":true,"redirect_uris":["https://op.certification.openid.net:60052/authz_cb","https://op.certification.openid.net:60052/cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"token_endpoint_auth_method":"client_secret_basic","default_max_age":3600,"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=08df8543-1100-4c35-859a-df91819f293a","contacts":["roland.hedberg at umu.se"],"scopes":["phone","address","email","openid","profile"],"client_secret":"caea7fe0-c595-47ae-a6fe-e28d8c6c48d9","client_type":"Confidential","registration_access_token":"8ae29811-c59b-4256-a32e-a7cdacec5c65","jwks_uri":"https://op.certification.openid.net:60052/export/jwk_60052.json","subject_type":"public","id_token_signed_response_alg":"HS256","client_id_issued_at":1428650037,"client_id":"08df8543-1100-4c35-859a-df91819f293a","c
 lient_secret_expires_at":0,"client_name":null,"response_types":["code"]}
1.315137 RegistrationResponse: {
  "application_type": "web",
  "client_id": "08df8543-1100-4c35-859a-df91819f293a",
  "client_id_issued_at": 1428650037,
  "client_name": null,
  "client_secret": "caea7fe0-c595-47ae-a6fe-e28d8c6c48d9",
  "client_secret_expires_at": 0,
  "client_type": "Confidential",
  "contacts": [
    "roland.hedberg at umu.se"
  ],
  "default_max_age": 3600,
  "default_max_age_enabled": true,
  "id_token_signed_response_alg": "HS256",
  "jwks_uri": "https://op.certification.openid.net:60052/export/jwk_60052.json",
  "post_logout_redirect_uris": [
    "https://op.certification.openid.net:60052/logout"
  ],
  "public_key_selector": "jwks_uri",
  "redirect_uris": [
    "https://op.certification.openid.net:60052/authz_cb",
    "https://op.certification.openid.net:60052/cb"
  ],
  "registration_access_token": "8ae29811-c59b-4256-a32e-a7cdacec5c65",
  "registration_client_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=08df8543-1100-4c35-859a-df91819f293a",
  "response_types": [
    "code"
  ],
  "scopes": [
    "phone",
    "address",
    "email",
    "openid",
    "profile"
  ],
  "subject_type": "public",
  "token_endpoint_auth_method": "client_secret_basic"
}
1.316732 ------------ AuthorizationRequest ------------
1.317497 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/authorize?nonce=LfKeMWNWHgbx&request=eyJhbGciOiJub25lIn0.eyJub25jZSI6ICJMZktlTVdOV0hnYngiLCAic3RhdGUiOiAiQ0lhNm9ENUJhbWl5NVRGZCIsICJyZWRpcmVjdF91cmkiOiAiaHR0cHM6Ly9vcC5jZXJ0aWZpY2F0aW9uLm9wZW5pZC5uZXQ6NjAwNTIvYXV0aHpfY2IiLCAicmVzcG9uc2VfdHlwZSI6ICJpZF90b2tlbiIsICJjbGllbnRfaWQiOiAiMDhkZjg1NDMtMTEwMC00YzM1LTg1OWEtZGY5MTgxOWYyOTNhIiwgInNjb3BlIjogIm9wZW5pZCJ9.&state=CIa6oD5Bamiy5TFd&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60052%2Fauthz_cb&response_type=id_token&client_id=08df8543-1100-4c35-859a-df91819f293a&scope=openid
1.317505 --> BODY: None
1.957118 QUERY_STRING:
2.712812 <-- error=unsupported_response_type&state=CIa6oD5Bamiy5TFd&error_description=Client does not support this response type.
2.713070 AuthorizationErrorResponse: {
  "error": "unsupported_response_type",
  "error_description": "Client does not support this response type.",
  "state": "CIa6oD5Bamiy5TFd"
}
2.719670 ==== END ====

Result
WARNING
Warnings:
OP is not supporting True according to 'request_parameter_supported' in the provider configuration
Unexpected error response: unsupported_response_type

```


Responsible: Rohe

More information about the Openid-specs-ab mailing list