[Openid-specs-ab] Issue #58: Trying to use access code twice should result in revoking previous issued tokens (OP-OAuth-2nd-Revokes) (openid/certification)

Brian Campbell issues-reply at bitbucket.org
Fri Feb 13 14:32:50 UTC 2015 

New issue 58: Trying to use access code twice should result in revoking previous issued tokens (OP-OAuth-2nd-Revokes)
https://bitbucket.org/openid/certification/issue/58/trying-to-use-access-code-twice-should

Brian Campbell:

The should is a should in RFC 6749 (http://tools.ietf.org/html/rfc6749#section-4.1.2 and http://tools.ietf.org/html/rfc6749#section-10.5) and these conformance tests shouldn't be more prescriptive than the standard. 

Apparently it was decided that this test should produce a warning: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20150209/005213.html

However, it's still showing red (failure) for me. And to confuse matters, the log (pasted below) ends with an "ERROR" but then has Result PASSED.


```
#!text

Test info
Profile: {'profile': 'C', 'sub': 'none', 'register': False, 'discover': True, 'extra': False}
Test ID: OP-OAuth-2nd-Revokes
Issuer: https://gold.pinglabs.net
Test output


__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__

Trace output


0.000309 ------------ DiscoveryRequest ------------
0.000332 Provider info discover from 'https://gold.pinglabs.net/'
0.000337 --> URL: https://gold.pinglabs.net/.well-known/openid-configuration
[...]
1.659301 ------------ AuthorizationRequest ------------
1.659627 --> URL: https://gold.pinglabs.net/as/authorization.oauth2?scope=openid&state=ZpSWnMbq9BcJKJd9&redirect_uri=https%3A%2F%2Foictest.umdc.umu.se%3A8094%2Fauthz_cb&response_type=code&client_id=oictest
1.659632 --> BODY: None
23.069141 <-- state=ZpSWnMbq9BcJKJd9&code=UPO0VEFdq1SIxuQZxqhB_wWKFiqPGSg5mgcjP01b
23.069415 AuthorizationResponse: {
  "code": "UPO0VEFdq1SIxuQZxqhB_wWKFiqPGSg5mgcjP01b",
  "state": "ZpSWnMbq9BcJKJd9"
}
23.069657 ------------ AccessTokenRequest ------------
23.069908 --> URL: https://gold.pinglabs.net/as/token.oauth2
23.069914 --> BODY: code=UPO0VEFdq1SIxuQZxqhB_wWKFiqPGSg5mgcjP01b&grant_type=authorization_code&redirect_uri=https%3A%2F%2Foictest.umdc.umu.se%3A8094%2Fauthz_cb
23.069921 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic b2ljdGVzdDoxUURnV1NwTA=='}
23.885950 <-- STATUS: 200
23.885992 <-- BODY: {"token_type":"Bearer","expires_in":7199,"refresh_token":"DKacmW2AsPMNBXSbk6dOml9Ar9XmS76G32BBLtVEgE","id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImU5b2lmIn0.eyJzdWIiOiJqYnJhZGxleSIsImF1ZCI6Im9pY3Rlc3QiLCJqdGkiOiJZZjRMQTc5VVRJTm1Hdm5MaVFGQ1dpIiwiaXNzIjoiaHR0cHM6XC9cL2dvbGQucGluZ2xhYnMubmV0IiwiaWF0IjoxNDIzODM3ODMyLCJleHAiOjE0MjM4MzgxMzJ9.VXe1StsKPB5ipP_s3UDcc0zWMQa55ArVu_7EE6chkKaMMI3qMVAKUFNE29oKRQBvtLlc4MMO4_K8wZ0MyyWvd8ZpyJC5PqgW2z4tNU2Sh_frWalji1LPjhekZ2T6ogf3NtwR6l-ofm5-AMTGv5tPyAQoSx7hHOjpYJkuuI9A8hEvPvgqMayAqLeeE9FbpaTDz4Vkmjql87F2U46MjYhntAEq1pi5sdwHdY-ZQ0Yc1cqWL0_8lwod9wgjurM6D6RoLdvuhjtq9v6ipt24Ps6PlnLZTri-VthTnGPk-CXaiqJ2m7PQklkmiEDJCg0gGwT0osx4izpO5QngfbLzWol1Og","access_token":"oGOmfri5eByQix8izi5PfYIg1phg"}

24.749450 IdToken JWT header: {u'alg': u'RS256', u'kid': u'e9oif'}
24.749468 AccessTokenResponse: {
  "access_token": "oGOmfri5eByQix8izi5PfYIg1phg",
  "expires_in": 7199,
  "id_token": {
    "aud": [
      "oictest"
    ],
    "exp": 1423838132,
    "iat": 1423837832,
    "iss": "https://gold.pinglabs.net",
    "jti": "Yf4LA79UTINmGvnLiQFCWi",
    "sub": "jbradley"
  },
  "refresh_token": "DKacmW2AsPMNBXSbk6dOml9Ar9XmS76G32BBLtVEgE",
  "token_type": "Bearer"
}
24.750465 ------------ AccessTokenRequest ------------
24.750720 --> URL: https://gold.pinglabs.net/as/token.oauth2
24.750724 --> BODY: code=UPO0VEFdq1SIxuQZxqhB_wWKFiqPGSg5mgcjP01b&grant_type=authorization_code&redirect_uri=https%3A%2F%2Foictest.umdc.umu.se%3A8094%2Fauthz_cb
24.750730 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic b2ljdGVzdDoxUURnV1NwTA=='}
25.532275 <-- STATUS: 400
25.532370 ErrorResponse: {
  "error": "invalid_grant",
  "error_description": "Authorization code is invalid or expired."
}
25.533152 ------------ UserInfoRequest ------------
25.533355 --> URL: https://gold.pinglabs.net/idp/userinfo.openid
25.533360 --> BODY: None
25.533366 --> HEADERS: {'Authorization': u'Bearer oGOmfri5eByQix8izi5PfYIg1phg'}
26.441862 <-- STATUS: 200
26.441918 <-- BODY: {"sub":"jbradley"}

26.442331 OpenIDSchema: {
  "sub": "jbradley"
}
26.444553 [ERROR] MissingRequiredAttribute:Missing required attribute 'error'

Result
PASSED 
```

More information about the Openid-specs-ab mailing list