[Openid-specs-ab] Issue #48: false negitive on Hybrid (code+token) Request with nonce, verifies it was returned in id_token (OP-B-09)? (openid/certification)

[Brian Campbell]

New issue 48: false negitive on Hybrid (code+token) Request with nonce, verifies it was returned in id_token (OP-B-09)?
https://bitbucket.org/openid/certification/issue/48/false-negitive-on-hybrid-code-token

Brian Campbell:

https://bitbucket.org/openid/certification/issue/47 now resolved and I see the token endpoint call happening. However, the test is reporting a failure for me where it seems it should pass as the  authorization request has nonce=Ji57GAZXxOJo and the ID token has "nonce": "Ji57GAZXxOJo"





```
#!text

Test info
Profile: {'profile': 'CT', 'sub': 'none', 'register': False, 'discover': True, 'extra': False}
Test ID: OP-B-09
Issuer: https://gold.pinglabs.net
Test output


__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[check-http-response]
	status: OK
	description: Checks that the HTTP response status is within the 200 or 300 range
[check-nonce]
	status: ERROR
	description: Verify that I in the IDToken gets back the nonce I included in the Authorization Request.

Trace output


0.000145 ------------ DiscoveryRequest ------------
[... omitted …]
1.732266 ------------ AuthorizationRequest ------------
1.732608 --> URL: https://gold.pinglabs.net/as/authorization.oauth2?nonce=Ji57GAZXxOJo&state=51S9oBk6dnHDAkfg&redirect_uri=https%3A%2F%2Foictest.umdc.umu.se%3A8094%2Fauthz_cb&response_type=code+token&client_id=oictest&scope=openid
1.732613 --> BODY: None
15.822481 <-- state=51S9oBk6dnHDAkfg&token_type=Bearer&expires_in=7200&code=xYv1mGmGlXxpc6m3E62X0fiTDxfJQp_BSc8e1xLu&access_token=QgYEcQgocJVnU8fus1RIFgHer9KF
15.822746 AuthorizationResponse: {
  "access_token": "QgYEcQgocJVnU8fus1RIFgHer9KF",
  "code": "xYv1mGmGlXxpc6m3E62X0fiTDxfJQp_BSc8e1xLu",
  "expires_in": 7200,
  "state": "51S9oBk6dnHDAkfg",
  "token_type": "Bearer"
}
15.822970 ------------ AccessTokenRequest ------------
15.823227 --> URL: https://gold.pinglabs.net/as/token.oauth2
15.823233 --> BODY: code=xYv1mGmGlXxpc6m3E62X0fiTDxfJQp_BSc8e1xLu&grant_type=authorization_code&redirect_uri=https%3A%2F%2Foictest.umdc.umu.se%3A8094%2Fauthz_cb
15.823239 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic b2ljdGVzdDoxUURnV1NwTA=='}
16.573158 <-- STATUS: 200
16.573198 <-- BODY: {"token_type":"Bearer","expires_in":7199,"refresh_token":"AidA8fqgCGv76I0Ei2cxl2mbApE5IcuZfHQYQnorrC","id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImI4NDgwIn0.eyJzdWIiOiJqYnJhZGxleSIsImF1ZCI6Im9pY3Rlc3QiLCJqdGkiOiJGenA1S2pMRVNaR05Fc1poVnd6ZXNUIiwiaXNzIjoiaHR0cHM6XC9cL2dvbGQucGluZ2xhYnMubmV0IiwiaWF0IjoxNDIzMjI1NzMzLCJleHAiOjE0MjMyMjYwMzMsIm5vbmNlIjoiSmk1N0dBWlh4T0pvIiwiYXRfaGFzaCI6IlpvdUU2NUJvRGh1S0dWUmNWbTNiQ1EifQ.dnyx62TVqWDdzMtdZT2EwMtJt7AEqJGfmpgjYEFI16IPCCcY9R4gQfef7_NE000yIyHmBxJ7VbdCQbrXBLsqui6SnZbbcjsZjVckk8my-go5YN61snHRpbHUtITCD9q_vg2qkybDIH-mqPZFRbEZucTXO66XZp9P41xTklsCUcy6UzngAVADVf9zxJm3lSfQSuZ1_pKo6fHRs9GpJvUAyi93b6qHP00AKO0IjlEtVR5ulnbgO7n1et7p4sZQDnoSzlCiFL7HxQOBGABYdaivHS22QP0tXuHZO1uL5UcSCFaBKBIZS41f9jamcI77e4ocJEgmFWOfKHI4AVQJXv386g","access_token":"EutpLxDzjEyns6ymJ2aQjUBx98Sg"}

17.358159 IdToken JWT header: {u'alg': u'RS256', u'kid': u'b8480'}
17.358171 AccessTokenResponse: {
  "access_token": "EutpLxDzjEyns6ymJ2aQjUBx98Sg",
  "expires_in": 7199,
  "id_token": {
    "at_hash": "ZouE65BoDhuKGVRcVm3bCQ",
    "aud": [
      "oictest"
    ],
    "exp": 1423226033,
    "iat": 1423225733,
    "iss": "https://gold.pinglabs.net",
    "jti": "Fzp5KjLESZGNEsZhVwzesT",
    "nonce": "Ji57GAZXxOJo",
    "sub": "jbradley"
  },
  "refresh_token": "AidA8fqgCGv76I0Ei2cxl2mbApE5IcuZfHQYQnorrC",
  "token_type": "Bearer"
}

Result
FAILED 
```