[Openid-specs-ab] Issue #148: OP-request_uri-Unsigned-Dynamic specifies wrong response_types in Implicit flow with id_token, leading to error (openid/certification)

Garyl Erickson issues-reply at bitbucket.org
Sat Apr 11 04:58:50 UTC 2015 

New issue 148: OP-request_uri-Unsigned-Dynamic specifies wrong response_types in Implicit flow with id_token, leading to error
https://bitbucket.org/openid/certification/issue/148/op-request_uri-unsigned-dynamic-specifies

Garyl Erickson:

When running the OP-request_uri-Unsigned-Dynamic test using the Implicit flow with response_type=id_token, the RegistrationRequest specifies "response_types": ["code"] instead of ["id_token"], but specifies response_type=id_token in the AuthorizationRequest, causing it to return "error": "unsupported_response_type".

It also specifies "grant_types": ["authorization_code"] instead of ["implicit"].

(Incidentally, unlike #139, this unexpected error IS causing the test to fail and set a red failure indicator.)


```
#!bash


Test info
Profile: {'openid-configuration': 'config', 'response_type': 'id_token', 'crypto': 'sign', 'registration': 'dynamic'}
Timestamp: 2015-04-11T04:49:51Z
Test description: Support request_uri request parameter with unsigned request [Basic, Implicit, Hybrid, Dynamic]
Test ID: OP-request_uri-Unsigned-Dynamic
Issuer: https://oidcp.openrock.org:8043/openam/oauth2
Test output


__RegistrationRequest:post__
[check]
	status: INFORMATION
	description: Registration Response
	info: {"public_key_selector":"jwks_uri","application_type":"web","default_max_age_enabled":true,"redirect_uris":["https://op.certification.openid.net:60052/authz_cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"token_endpoint_auth_method":"client_secret_basic","default_max_age":3600,"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=e308054d-e7e1-457f-8db9-09c908d784cf","contacts":["roland.hedberg at umu.se"],"scopes":["phone","address","email","openid","profile"],"client_secret":"0f133402-9235-459d-8977-56686ef87834","client_type":"Confidential","registration_access_token":"37213f4f-e030-4db3-a108-6547ef3cb18b","jwks_uri":"https://op.certification.openid.net:60052/export/jwk_60052.json","subject_type":"public","id_token_signed_response_alg":"HS256","client_id_issued_at":1428727919,"client_id":"e308054d-e7e1-457f-8db9-09c908d784cf","client_secret_expires_at":0,"client_name":null,"response_typ
 es":["code"]}
__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[verify-response]
	status: ERROR
	description: Checks that the last response was one of a possible set of OpenID Connect Responses
	info: Got a AuthorizationErrorResponse response
__X:==== END ====__

Trace output


0.000466 ------------ DiscoveryRequest ------------
0.000476 Provider info discover from 'https://oidcp.openrock.org:8043/openam/oauth2'
0.000482 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/.well-known/openid-configuration
0.441014 ProviderConfigurationResponse: {
  "acr_values_supported": [
    "1"
  ],
  "authorization_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/authorize",
  "check_session_iframe": "https://oidcp.openrock.org:8043/openam/oauth2/connect/checkSession",
  "claims_parameter_supported": true,
  "claims_supported": [
    "zoneinfo",
    "phone_number",
    "address",
    "email",
    "name",
    "locale",
    "family_name",
    "given_name"
  ],
  "end_session_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/endSession",
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "HS512",
    "RS256",
    "HS384"
  ],
  "issuer": "https://oidcp.openrock.org:8043/openam/oauth2",
  "jwks_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/jwk_uri",
  "registration_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "response_types_supported": [
    "token id_token",
    "code token",
    "code token id_token",
    "token",
    "code id_token",
    "code",
    "id_token"
  ],
  "scopes_supported": [
    "phone",
    "address",
    "email",
    "openid",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/access_token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "userinfo_endpoint": "https://oidcp.openrock.org:8043/openam/oauth2/userinfo",
  "version": "3.0"
}
0.873141 JWKS: {
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "43901682-8b4d-40a3-80ba-580ba13b2ff8",
      "kty": "RSA",
      "n": "AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_",
      "use": "sig"
    }
  ]
}
0.883034 'request_object_signing_alg_values_supported' not defined in provider configuration
0.883270 ------------ RegistrationRequest ------------
0.883653 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/connect/register
0.883661 --> BODY: {"subject_type": "public", "jwks_uri": "https://op.certification.openid.net:60052/export/jwk_60052.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["authorization_code"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60052/logout"], "redirect_uris": ["https://op.certification.openid.net:60052/authz_cb"], "response_types": ["code"], "require_auth_time": true, "request_object_signing_alg": "none", "default_max_age": 3600}
0.883670 --> HEADERS: {'Content-type': 'application/json'}
1.339764 <-- STATUS: 201
1.339806 <-- BODY: {"public_key_selector":"jwks_uri","application_type":"web","default_max_age_enabled":true,"redirect_uris":["https://op.certification.openid.net:60052/authz_cb"],"post_logout_redirect_uris":["https://op.certification.openid.net:60052/logout"],"token_endpoint_auth_method":"client_secret_basic","default_max_age":3600,"registration_client_uri":"https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=e308054d-e7e1-457f-8db9-09c908d784cf","contacts":["roland.hedberg at umu.se"],"scopes":["phone","address","email","openid","profile"],"client_secret":"0f133402-9235-459d-8977-56686ef87834","client_type":"Confidential","registration_access_token":"37213f4f-e030-4db3-a108-6547ef3cb18b","jwks_uri":"https://op.certification.openid.net:60052/export/jwk_60052.json","subject_type":"public","id_token_signed_response_alg":"HS256","client_id_issued_at":1428727919,"client_id":"e308054d-e7e1-457f-8db9-09c908d784cf","client_secret_expires_at":0,"client_name":null,"
 response_types":["code"]}
1.340478 RegistrationResponse: {
  "application_type": "web",
  "client_id": "e308054d-e7e1-457f-8db9-09c908d784cf",
  "client_id_issued_at": 1428727919,
  "client_name": null,
  "client_secret": "0f133402-9235-459d-8977-56686ef87834",
  "client_secret_expires_at": 0,
  "client_type": "Confidential",
  "contacts": [
    "roland.hedberg at umu.se"
  ],
  "default_max_age": 3600,
  "default_max_age_enabled": true,
  "id_token_signed_response_alg": "HS256",
  "jwks_uri": "https://op.certification.openid.net:60052/export/jwk_60052.json",
  "post_logout_redirect_uris": [
    "https://op.certification.openid.net:60052/logout"
  ],
  "public_key_selector": "jwks_uri",
  "redirect_uris": [
    "https://op.certification.openid.net:60052/authz_cb"
  ],
  "registration_access_token": "37213f4f-e030-4db3-a108-6547ef3cb18b",
  "registration_client_uri": "https://oidcp.openrock.org:8043/openam/oauth2/connect/register?client_id=e308054d-e7e1-457f-8db9-09c908d784cf",
  "response_types": [
    "code"
  ],
  "scopes": [
    "phone",
    "address",
    "email",
    "openid",
    "profile"
  ],
  "subject_type": "public",
  "token_endpoint_auth_method": "client_secret_basic"
}
1.351204 ------------ AuthorizationRequest ------------
1.352158 --> URL: https://oidcp.openrock.org:8043/openam/oauth2/authorize?nonce=etdWV9vCIPCN&state=9baUZORVvXeCpbkd&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60052%2Fauthz_cb&response_type=id_token&client_id=e308054d-e7e1-457f-8db9-09c908d784cf&scope=openid&request_uri=https%3A%2F%2Fop.certification.openid.net%3A60052%2Fexport%2FCQrBBytRMD.jwt
1.352166 --> BODY: None
2.162741 QUERY_STRING:
2.997224 <-- error=unsupported_response_type&state=9baUZORVvXeCpbkd&error_description=Client does not support this response type.
2.997498 AuthorizationErrorResponse: {
  "error": "unsupported_response_type",
  "error_description": "Client does not support this response type.",
  "state": "9baUZORVvXeCpbkd"
}
2.997777 ==== END ====

Result
FAILED

```


Responsible: Rohe

More information about the Openid-specs-ab mailing list