[Openid-specs-ab] Issue #105: why is registration_access_token required? (openid/certification)

Brian Campbell issues-reply at bitbucket.org
Wed Mar 18 21:51:47 UTC 2015 

New issue 105: why is registration_access_token required?
https://bitbucket.org/openid/certification/issue/105/why-is-registration_access_token-required

Brian Campbell:

registration_access_token (and registration_client_uri) are OPTIONAL per http://openid.net/specs/openid-connect-registration-1_0.html#RegistrationResponse and only used for the client read request, which isn't a particularity useful feature IMHO and one I don't necessarily support. Client registration read is also only an 'extra test' as far as I can tell from the tool and spreadsheet(s). 

I don't believe returning a registration_access_token should be required from client registration. 

```
#!text

Test info
Profile: {'openid-configuration': 'config', 'response_type': 'code', 'crypto': 'none+sign', 'registration': 'dynamic'}
Test description: Authorization request missing the response_type parameter [Basic, Implicit, Hybrid]
Test ID: OP-Response-Missing
Issuer: https://gold.pinglabs.net
Test output


[-]
	status: ERROR
	info: Missing required attribute 'registration_access_token'

Trace output


0.000311 ------------ DiscoveryRequest ------------
0.000323 Provider info discover from 'https://gold.pinglabs.net'
0.000329 --> URL: https://gold.pinglabs.net/.well-known/openid-configuration
1.130151 ProviderConfigurationResponse: {
  "authorization_endpoint": "https://gold.pinglabs.net/as/authorization.oauth2",
  "claim_types_supported": [
    "normal"
  ],
  "claims_parameter_supported": false,
  "claims_supported": [
    "address",
    "birthdate",
    "email",
    "email_verified",
    "family_name",
    "gender",
    "given_name",
    "locale",
    "middle_name",
    "name",
    "nickname",
    "phone_number",
    "picture",
    "preferred_username",
    "profile",
    "sub",
    "website",
    "zoneinfo"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ],
  "issuer": "https://gold.pinglabs.net",
  "jwks_uri": "https://gold.pinglabs.net/pf/JWKS",
  "ping_end_session_endpoint": "https://gold.pinglabs.net/idp/startSLO.ping",
  "ping_revoked_sris_endpoint": "https://gold.pinglabs.net/pf-ws/rest/sessionMgmt/revokedSris",
  "registration_endpoint": "https://gold.pinglabs.net/idp/client-registration.openid",
  "request_object_signing_alg_values_supported": [
    "none"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "response_modes_supported": [
    "fragment",
    "query",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token"
  ],
  "revocation_endpoint": "https://gold.pinglabs.net/as/revoke_token.oauth2",
  "scopes_supported": [
    "product",
    "phone",
    "pingone-native-application",
    "address",
    "email",
    "admin",
    "edit",
    "openid",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://gold.pinglabs.net/as/token.oauth2",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "none"
  ],
  "userinfo_endpoint": "https://gold.pinglabs.net/idp/userinfo.openid",
  "version": "3.0"
}
1.471188 JWKS: {
  "keys": [
    {
      "crv": "P-521",
      "kid": "c1m80",
      "kty": "EC",
      "use": "sig",
      "x": "AIU-nLqGqM1Ez_3cmbKByvlN2JX0zc6zxHFmhjcsyCGaWgsiHCXCAi2n-dkLZVmg7EI7ChdU1BiQyaZ3w8I5N3Zx",
      "y": "Ab779yo8hL87Kyp5EKNSzXtd9qCLg6XzRlJh1NhlHNlYbryKlRxFuzm3ge05ySMu2NpVlUj_2wVMsQar_YG9Mj7f"
    },
    {
      "crv": "P-384",
      "kid": "c1m7z",
      "kty": "EC",
      "use": "sig",
      "x": "NNREG6idlirPbAZz5a3WXJ0y59RfL4W7dhHTQzeWA3ZqBC0zPQ_K3deJem3fKPQr",
      "y": "ue4cXqjWYl1JdStvflXNUoejlPKGmIMkuv-ofKnbZpHbnuftcV6V6Z7PefsTaUcP"
    },
    {
      "crv": "P-256",
      "kid": "c1m7y",
      "kty": "EC",
      "use": "sig",
      "x": "LbuNYZejOQoiSa1mUk5F_FqvvXa7C3TXLRBe0enIJFE",
      "y": "xxFNaIx4r8bPkyJPa5V7tWWjEvdVZrRLBSAA-YWNgfk"
    },
    {
      "e": "AQAB",
      "kid": "c1m7x",
      "kty": "RSA",
      "n": "waIkRSTDYKkow6VWs9a9lHvUEaqJxcDpaeKFAvXCMJzxclU2xLs-vIRlCuRVv2855K77EQjE3rCePEJorcULll-gI9fzud58PGw2QmSiIfvkR99oN-J4oG0kO_vKKhMT4yY6g5JvJvMKMNy6qdd8le-Ytot5dEDjoJpHWblxbMY7vn4LKlYjhw3nNmVb2GGULPuH6Yfgm15cLpwQ6D2wBgelGf2-v1XkIK58w5kE6z62aaOHo0noJAbb5FnwAvWbGl6uMZQ95Pr_5B-TMHzRFEWVvRtGFGHtX9AQfmVgcZ9VVI2HKO3skhGJg6kUOcLvThJ00fk2X14CF4g5r4PbVQ",
      "use": "sig"
    },
    {
      "crv": "P-521",
      "kid": "c1m7w",
      "kty": "EC",
      "use": "sig",
      "x": "AAWBiXWix0Nnh5zCYMMcyyiY0DmR67h-UTXNtXYCgBdPr84VJc3tTTnjGXIyIQAO2xKPMMMNaTSZpxOai0KFjGlO",
      "y": "AHm1VHA6o1tcT94sm_1t8T-pnftGf7Qk_tjIRce48Y5zdMsb1whwC4P-NPeugoYPw7iKDDQFUMXB60ux15mCiecX"
    },
    {
      "crv": "P-384",
      "kid": "c1m7v",
      "kty": "EC",
      "use": "sig",
      "x": "XmDJ3DfUKWen9VXUbdwNtv_uBOgTBtZkML41p4oLW2DhEOuoZwqaWTert_OGLEBd",
      "y": "Ac8d6ei4jC8_3AssjtIWago8wz91X2vHeJHvWUOCnyc2MeZbPvjb-eHVbWkRzlpT"
    },
    {
      "crv": "P-256",
      "kid": "c1m7u",
      "kty": "EC",
      "use": "sig",
      "x": "Gp7F3IW95Cu_Oy3pk73oFbAdhftCZG5r-R-MNCVBY5s",
      "y": "gvihB5DRWd-b90PFVj3sCkvKlup7kpY349tD9i49Of0"
    },
    {
      "e": "AQAB",
      "kid": "c1m7t",
      "kty": "RSA",
      "n": "wOicQ7SBj-QEZ53hk-pcXcadqGzdOqFLyrcizNlXepyiymQV8Y2PEGJpKRWc91pCFkK5wA-p6ZQU0J9Jx2VrVqLI7UClxlCbRBE_myQ_MnVABnR405QmAXOOOohidISmi8IbLkB8WfdvvH3EJafviHidWh5DdDZG3u-zqGMXZ4iBMRJKmXb9zntnz0EozlPBbDG9Idr7OV1vkc4vql_Vhk56C3wtsT1ucXZL4bylALdvyZvaKdgjcA3IJHa0l6rxBJ3LhZHJYbGc7RgyaspGLZ4zkvubC0mzU0d8qpmTEHfLGJWzc9XKnDRdqi8GpO43QLDwV0ZG9TxzJMI9RWAb4Q",
      "use": "sig"
    }
  ]
}
1.472088 ------------ RegistrationRequest ------------
1.472466 --> URL: https://gold.pinglabs.net/idp/client-registration.openid
1.472473 --> BODY: {"subject_type": "public", "jwks_uri": "https://op.certification.openid.net:60050/export/jwk_60050.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["authorization_code"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60050/logout"], "redirect_uris": ["https://op.certification.openid.net:60050/authz_cb"], "response_types": ["code"], "require_auth_time": true, "default_max_age": 3600}
1.472482 --> HEADERS: {'Content-type': 'application/json'}
1.890555 <-- STATUS: 200
1.890593 <-- BODY: {"client_id":"_.Yp5vGjfFfHF0JK5WthtLozMd","client_secret":"YxhTrku75NC3phLbmlk6Zo-NbAGHwxhN2er1UDgaSGByUxdinPtIFlKhQ2nIpc5lW4CVsUI7Z3kMZXnJz-htMg","token_endpoint_auth_method":"client_secret_basic","expires_at":0,"client_name":"NO CLIENT NAME PROVIDED","logo_uri":null,"redirect_uris":["https://op.certification.openid.net:60050/authz_cb"],"grant_types":["authorization_code"]}

1.891847 [ERROR] MissingRequiredAttribute:Missing required attribute 'registration_access_token'

Result
PARTIAL RESULT 
```

More information about the Openid-specs-ab mailing list