[Openid-specs-ab] Issue #97: Test OP-request_uri-Unsigned not treating legal error code request_uri_not_supported as a success condition when not testing Dynamic profile (openid/certification)
Michael Jones
issues-reply at bitbucket.org
Tue Mar 17 00:32:57 UTC 2015
New issue 97: Test OP-request_uri-Unsigned not treating legal error code request_uri_not_supported as a success condition when not testing Dynamic profile
https://bitbucket.org/openid/certification/issue/97/test-op-request_uri-unsigned-not-treating
Michael Jones:
As allowed by http://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter, the configuration https://op.certification.openid.net:60708/ is returning the error request_uri_not_supported. The tests need to recognize this error code and treat it as a success condition unless testing the Dynamic profile, in which full support for request_uri is required, per http://openid.net/specs/openid-connect-core-1_0.html#DynamicMTI.
You should probably add a separate test for the Dynamic profile case, in which returning request_uri_not_supported *is* treated as an error. Maybe call that one OP-request_uri-Unsigned-Dynamic. And only trigger the current test in the static registration case.
The log follows:
Test info
Profile: {'openid-configuration': 'config', 'response_type': 'id_token+token', 'crypto': 'sign', 'registration': 'static'}
Test description: Support request_uri request parameter with unsigned request [Basic, Implicit, Hybrid, Dynamic]
Test ID: OP-request_uri-Unsigned
Issuer: https://stsadweb.one.microsoft.com/adfs
________________________________________
Test output
__AuthorizationRequest:pre__
[check-response-type]
status: OK
description: Checks that the asked for response type are among the supported
[check-endpoint]
status: OK
description: Checks that the necessary endpoint exists at a server
[-]
status: ERROR
info: request_uri_not_supported
________________________________________
Trace output
0.000290 ------------ DiscoveryRequest ------------
0.000301 Provider info discover from 'https://stsadweb.one.microsoft.com/adfs'
0.000307 --> URL: https://stsadweb.one.microsoft.com/adfs/.well-known/openid-configuration
0.452911 ProviderConfigurationResponse: {
"access_token_issuer": "http://stsadweb.one.microsoft.com/adfs/services/trust",
"authorization_endpoint": "https://stsadweb.one.microsoft.com/adfs/oauth2/authorize/",
"claims_parameter_supported": false,
"claims_supported": [
"aud",
"iss",
"iat",
"exp",
"auth_time",
"nonce",
"at_hash",
"c_hash",
"sub",
"upn",
"unique_name",
"pwd_url",
"pwd_exp",
"ver"
],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"client_credentials",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"implicit",
"password"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"issuer": "https://stsadweb.one.microsoft.com/adfs",
"jwks_uri": "https://stsadweb.one.microsoft.com/adfs/discovery/keys",
"request_parameter_supported": false,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"response_types_supported": [
"code",
"id_token",
"code id_token",
"token id_token"
],
"scopes_supported": [
"user_impersonation",
"full_access",
"logon_cert",
"vpn_cert",
"email",
"openid",
"aza",
"profile"
],
"subject_types_supported": [
"pairwise"
],
"token_endpoint": "https://stsadweb.one.microsoft.com/adfs/oauth2/token/",
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"windows_client_authentication"
],
"token_endpoint_auth_signing_alg_values_supported": [
"RS256"
],
"version": "3.0",
"webfinger_endpoint": "https://stsadweb.one.microsoft.com/adfs/.well-known/webfinger"
}
0.888772 JWKS: {
"keys": [
{
"alg": "RS256",
"e": "AQAB",
"kid": "f-5GWKyaV6fDdnKB7A3b0llXZ0E",
"kty": "RSA",
"n": "ygUNL9XXanKy_fQ1X0SMt9LRKpH3Xup1lk5mivaw7thYRPrkGArJezV4x-hfk3Rm9qv6ikBGnTW0lI8FqotLcXmvIBqtbIDfSh59uts1r0QLRUVKS_2OL_Ia8KL56VHhG7fnjH9-rLE8Exksnb3f6y0dkF2VhU2-ED5fhpHbHZi7kCv7jt1xgsk7xrM1WpQNBP3xq15BfMu83TgUKT21HP-E7O9hEFFJ1M0BJg0uZNxNUauLhbwd05dqB-k2Nmr6XUnEQlW0nU9BJvWSs0xruyirHKbOCllEVopZ2vyc1z7_YWPcxDXFx2q52f0_mh74mafkE-Xi5Njk0dkH4OqGaQ",
"use": "sig",
"x5c": [
"MIIFrjCCBJagAwIBAgIKEzgGLwABAACESDANBgkqhkiG9w0BAQUFADCBgDETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIGCgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMR8wHQYDVQQDExZNU0lUIE1hY2hpbmUgQXV0aCBDQSAyMB4XDTEzMDcwODIzMDg1OVoXDTE1MDcwODIzMDg1OVowLDEqMCgGA1UEAxMhYWRmYWJzdHMubnRkZXYuY29ycC5taWNyb3NvZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAygUNL9XXanKy/fQ1X0SMt9LRKpH3Xup1lk5mivaw7thYRPrkGArJezV4x+hfk3Rm9qv6ikBGnTW0lI8FqotLcXmvIBqtbIDfSh59uts1r0QLRUVKS/2OL/Ia8KL56VHhG7fnjH9+rLE8Exksnb3f6y0dkF2VhU2+ED5fhpHbHZi7kCv7jt1xgsk7xrM1WpQNBP3xq15BfMu83TgUKT21HP+E7O9hEFFJ1M0BJg0uZNxNUauLhbwd05dqB+k2Nmr6XUnEQlW0nU9BJvWSs0xruyirHKbOCllEVopZ2vyc1z7/YWPcxDXFx2q52f0/mh74mafkE+Xi5Njk0dkH4OqGaQIDAQABo4ICezCCAncwHQYDVR0OBBYEFAZ6r4tyv+5oQy8EAL2meCItzDKuMAsGA1UdDwQEAwIEsDAfBgNVHSMEGDAWgBTr2xFe+Ame2NZinP1ineOESijhJzCB7gYDVR0fBIHmMIHjMIHgoIHdoIHahk9odHRwOi8vbXNjcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NU0lUJTIwTWFjaGluZSUyMEF1dGglMjBDQSUyMDIoMSkuY3Jshk1od
HRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTVNJVCUyME1hY2hpbmUlMjBBdXRoJTIwQ0ElMjAyKDEpLmNybIY4aHR0cDovL2NvcnBwa2kvY3JsL01TSVQlMjBNYWNoaW5lJTIwQXV0aCUyMENBJTIwMigxKS5jcmwwga0GCCsGAQUFBwEBBIGgMIGdMFUGCCsGAQUFBzAChklodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9NU0lUJTIwTWFjaGluZSUyMEF1dGglMjBDQSUyMDIoMSkuY3J0MEQGCCsGAQUFBzAChjhodHRwOi8vY29ycHBraS9haWEvTVNJVCUyME1hY2hpbmUlMjBBdXRoJTIwQ0ElMjAyKDEpLmNydDA/BgkrBgEEAYI3FQcEMjAwBigrBgEEAYI3FQiDz4lNrfIChaGfDIL6yn2B4ft0gU+Dwu2FCI6p0oVjAgFkAgEKMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQBSd/ptSwm7fEcmlnxvD1/qPxdau02/A1aaLyt6Fbrf+265GW25y5xDXK/Ui2E7OiE54V5K4K6zueDMJXcT3ebTU7mkd1CCkRiF3+cHnbFugy+nMdtigHHC1HbXxK9emcEMoq42wd4egASbhl38cNlIGVJWSo/jP3mob8p+n8+zgrAwl2tV8cVGroPbgc83PnANCqAuaK4fSE77C5mIzRF0KTqOaPrruezO7MEpnaGldTpeKlfip4xCksMiU5gZvn7obWn9PU20vG54SgteLKJSHr6ytwry7ysLmNU0A5q9pSq+cw55Ogo89VMHNBoBsMsI6rVeX5R17tWgKSdHohwX"
],
"x5t": "f-5GWKyaV6fDdnKB7A3b0llXZ0E"
}
]
}
0.889602 ------------ AuthorizationRequest ------------
0.890495 --> URL: https://stsadweb.one.microsoft.com/adfs/oauth2/authorize/?nonce=CRHEcSyb90yF&resource=http%3A%2F%2Fwww.microsoftshouldfixthisbug.com%2F&state=0aZacxGnR9pY6rPx&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60708%2Fauthz_cb&response_type=id_token+token&client_id=OICTest3&scope=openid&request_uri=https%3A%2F%2Fop.certification.openid.net%3A60708%2Fexport%2FwblOgk8phY.jwt
0.890504 --> BODY: None
1.044231 QUERY_STRING:client-request-id=00000000-0000-0000-822b-008000000099
1.545504 <-- error=request_uri_not_supported&error_description=MSIS9635%3a+The+%27request_uri%27+parameter+is+not+supported.&state=0aZacxGnR9pY6rPx
1.546513 [ERROR] NotAllowedValue:request_uri_not_supported
________________________________________
Result
FAILED
Responsible: Rohe
More information about the Openid-specs-ab
mailing list