[Openid-specs-ab] Issue #122: OP-OAuth-2nd-Revokes is broken again (getting fail where it should be a warning) (openid/certification)
Brian Campbell
issues-reply at bitbucket.org
Fri Mar 20 12:00:29 UTC 2015
New issue 122: OP-OAuth-2nd-Revokes is broken again (getting fail where it should be a warning)
https://bitbucket.org/openid/certification/issue/122/op-oauth-2nd-revokes-is-broken-again
Brian Campbell:
Recent work on OP-OAuth-2nd* clean up seems to have introduced (or reintroduced seems similar to #58) this problem.
We should get a warning here not a failure when the access token obtained from the initial code exchange is used at the user info endpoint after the second code exchange fails.
```
#!text
Test info
Profile: {'openid-configuration': 'config', 'response_type': 'code', 'crypto': 'none+sign', 'registration': 'dynamic'}
Test description: Trying to use authorization code twice should result in revoking previous issued access tokens [Basic, Hybrid]
Test ID: OP-OAuth-2nd-Revokes
Issuer: https://gold.pinglabs.net
Test output
__RegistrationRequest:post__
[check]
status: INFORMATION
description: Registration Response
info: {"client_id":"_.dS5V4iR8mrI8Hscm5SJGOI4U","client_secret":"PL1j-l8chJjx7RI8xzvy2Pz-o7vBVHVUJkBuvShd9UnCXBwMh3rV5jj6sutzO3hF52t3dO6ZIfW-xoATds-r9Q","token_endpoint_auth_method":"client_secret_basic","expires_at":0,"client_name":"NO CLIENT NAME PROVIDED","redirect_uris":["https://op.certification.openid.net:60050/authz_cb"],"grant_types":["authorization_code"]}
__AuthorizationRequest:pre__
[check-response-type]
status: OK
description: Checks that the asked for response type are among the supported
[check-endpoint]
status: OK
description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[verify-response]
status: ERROR
description: Checks that the last response was one of a possible set of OpenID Connect Responses
info: Got a OpenIDSchema response
Trace output
0.000322 ------------ DiscoveryRequest ------------
0.000337 Provider info discover from 'https://gold.pinglabs.net'
0.000344 --> URL: https://gold.pinglabs.net/.well-known/openid-configuration
0.355964 ProviderConfigurationResponse: {
"authorization_endpoint": "https://gold.pinglabs.net/as/authorization.oauth2",
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": false,
"claims_supported": [
"address",
"birthdate",
"email",
"email_verified",
"family_name",
"gender",
"given_name",
"locale",
"middle_name",
"name",
"nickname",
"phone_number",
"picture",
"preferred_username",
"profile",
"sub",
"website",
"zoneinfo"
],
"grant_types_supported": [
"authorization_code",
"implicit"
],
"id_token_signing_alg_values_supported": [
"none",
"HS256",
"HS384",
"HS512",
"RS256",
"RS384",
"RS512",
"ES256",
"ES384",
"ES512"
],
"issuer": "https://gold.pinglabs.net",
"jwks_uri": "https://gold.pinglabs.net/pf/JWKS",
"ping_end_session_endpoint": "https://gold.pinglabs.net/idp/startSLO.ping",
"ping_revoked_sris_endpoint": "https://gold.pinglabs.net/pf-ws/rest/sessionMgmt/revokedSris",
"registration_endpoint": "https://gold.pinglabs.net/idp/client-registration.openid",
"request_object_signing_alg_values_supported": [
"none"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_modes_supported": [
"fragment",
"query",
"form_post"
],
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token"
],
"revocation_endpoint": "https://gold.pinglabs.net/as/revoke_token.oauth2",
"scopes_supported": [
"product",
"phone",
"pingone-native-application",
"email",
"address",
"admin",
"edit",
"openid",
"profile"
],
"subject_types_supported": [
"public"
],
"token_endpoint": "https://gold.pinglabs.net/as/token.oauth2",
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post",
"none"
],
"userinfo_endpoint": "https://gold.pinglabs.net/idp/userinfo.openid",
"version": "3.0"
}
0.639323 JWKS: {
"keys": [
{
"crv": "P-521",
"kid": "db8bn",
"kty": "EC",
"use": "sig",
"x": "ASLwmn2_-KYo83mxm98F6GovY4D44cYYoTRLeAFpqQU03vg805X3QDEwu7jokx3YSf5-zGyzoB4-TeZsz29TJUwS",
"y": "AFu9fYtiPgCg1HrKibnXp5Gqxsg-Mm9L3t4sATbzQ1xCx0NJ-Dzp3j91vjA-CN62eoEwGLfMDB66K0tu6wYK--hm"
},
{
"crv": "P-384",
"kid": "db8bm",
"kty": "EC",
"use": "sig",
"x": "1hL-CwQ5nlrYxLWkHyQ5wlD3JXXwVXdTyhBS1Bb-5Zw8mvMabBWwOXOgbTrvX2wN",
"y": "ulduhNII1Y9ZiHQ1KaLKiY1a2nk7TPoPDGeE_uAVzZg2IQudwpOWdY4wwsmkbXJu"
},
{
"crv": "P-256",
"kid": "db8bl",
"kty": "EC",
"use": "sig",
"x": "d48GrAXUpOVbDZQZt5gvo3qTKfyBpPuS5ywc6QaA_e4",
"y": "fzQiPiafTHBgj4f1O-CjMsJl7ufDbjfJiJgKh-amuO0"
},
{
"e": "AQAB",
"kid": "db8bk",
"kty": "RSA",
"n": "hN3QkB3WFMlmYdJtEi7VrBz8zCsy0Z2dq8AjFjFH3hAoQnJI7U7rnuY-Mb7RsFbPxcE-abwnW4kRq5CXqw5idmaX2sU8J1sEOqNBzRMFQpd3ejdKCDTUu3CJBCk4--0z6JZOf220EqHGv8TqRqUrBv4CjacJTfHVBFzUDdPR-9baRzCMAQjOZBiMu3Mjqe877bHV0RypUqA8O318p7OuPYtd6_hqZoeL2v_Lh7yTJ5UlmXnBSMN5frrMzbruN4OYxc1NkbGbxM0r0DIBpC2loLxJYK21hM_KBdCmpIWx7UxWWXVrSvIfda2gq5rekN_M7mqhm2M2udTiR7inMNAcNw",
"use": "sig"
},
{
"crv": "P-521",
"kid": "db8bj",
"kty": "EC",
"use": "sig",
"x": "ACSR7VCMCfNW1P-WOmfkYl6hC4rTXsy5OP8S_54FVacLq7DVp8Cdoox68icQN2hVaM07mxfFrs3o6wn55GgTeyHl",
"y": "ANdpBLJo3sbVmDK_T4Vh5vJ5d3xuQI12li9wdV-6VCoUxXyxTD-qKiM1skP26S2pTSrUvXmZjsnqq6xlFwdAeyDO"
},
{
"crv": "P-384",
"kid": "db8bi",
"kty": "EC",
"use": "sig",
"x": "ho8Ucz6EttMS-fSd8yU3nvA3WSOHkfkLg2Gndo--KRP0a0wwuRjeVVc5GgN7g-43",
"y": "63IfclToASFrhgNcnaAqe7uZ4scN5RdUp9B_2-ecm-AxHs73JyS6S9ez_4T0G6YC"
},
{
"crv": "P-256",
"kid": "db8bh",
"kty": "EC",
"use": "sig",
"x": "jjSV_4p0KGoJ4JuwHEZAaFy2FSplC3R-USGZckNJyY8",
"y": "Lt1G6pWNiu4MMXlINMSp0mwSAsSLtHhe-eBR1EQN67o"
},
{
"e": "AQAB",
"kid": "db8bg",
"kty": "RSA",
"n": "r6hSRwrjSebC2HFz7NRXs3loS2qrAz3E21v1Lpxabykcs_7i3nfYKoVu6ssgXarXBPHD_oRjQ-I26WPW3_5hQzyxrMMDlEShAXrZfMjLEU1Rov3XNRdLWT09cCzRMJ3ipzHYABAnylP_ifr5kGcoE60uhf6_9tixr-oBmFF2yh4jY0l0vrCkXyxNZHki4cBE-SzYzCuDlVG6WcYXETXCuzqIMfm-Ius_bUWK2Kefky9XWk-DGR2MeE8-hrsMJahaMDoTZCbl1id3eKoCLChG7n_DnE-1Z16WYLkzQffnjndGRnjcABW3yY4e9wZeeD43jQ9YR3BPA7TRD4XfqmzXZQ",
"use": "sig"
},
{
"crv": "P-521",
"kid": "db8bf",
"kty": "EC",
"use": "sig",
"x": "AYF14IO8ntW7Ub5aKgk6hdnGNn9PPUDjyqLskou_ERSkimNUiccWWTmSsbe1bRNlyNOAO_3zM8HuEPZTKE1rUD4C",
"y": "AA9P6ZpXl9t_W-8-ptZ7IRokc1TIb-jl14FIc7AQY3tvmkXNotViQXC_rVzHhizrgtsNmYdVl2DOsGqFXzVZrHFe"
},
{
"crv": "P-384",
"kid": "db8be",
"kty": "EC",
"use": "sig",
"x": "MouHmNhJBVVeLR3e9lb_tSqXTANHJLQz-ivXrg7zU_Qgi94HDAeMlI-nMbaR0h9H",
"y": "wKtUmUdLC62SzOk06sPqUKLQqa5Jn-5iUywau7doFZCYNzCPIvWkKWKf5mO1fQz1"
},
{
"crv": "P-256",
"kid": "db8bd",
"kty": "EC",
"use": "sig",
"x": "4VKlQkRC4-fhoRR2m4aBup4OGzXFUudvmPEvHse2yUQ",
"y": "JJqrLy7z825x-piZepFjav9nqyroDmt-UYLkI8hxD6o"
},
{
"e": "AQAB",
"kid": "db8bc",
"kty": "RSA",
"n": "l2eYpRaSwgPlS6hgKJivQQNUAMMDq829wJ1EI0RfoTPpnlQ_PV5AWcpYioEWwH-oZrvsy7Krt0BgKTzD7-TbjmfT_rmTA1GN-L5XOJ9gmZ0QtDY6wagyFdcLAnHpbjLbtVGk2avVsBEcLXQx2CdfbMUDpG8wWBpgBa3aOFTPgjSlP_UxuSvusswxcZMyscT_CqUy0HfDRxon3BBS7-YBjYcyziy0AB8zTVCnjL5tvFiufHzr5aqBFEc3_9mxhdb4e95eepVOMboITpblg0CYHsgdA6LLHbG7Wd334az10ehlcHvAB0GN5_PDwYHuR_BJdNAK9g8uvFwZu0eqHKtM7w",
"use": "sig"
}
]
}
0.640327 ------------ RegistrationRequest ------------
0.640713 --> URL: https://gold.pinglabs.net/idp/client-registration.openid
0.640721 --> BODY: {"subject_type": "public", "jwks_uri": "https://op.certification.openid.net:60050/export/jwk_60050.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["authorization_code"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60050/logout"], "redirect_uris": ["https://op.certification.openid.net:60050/authz_cb"], "response_types": ["code"], "require_auth_time": true, "default_max_age": 3600}
0.640730 --> HEADERS: {'Content-type': 'application/json'}
0.947350 <-- STATUS: 200
0.947392 <-- BODY: {"client_id":"_.dS5V4iR8mrI8Hscm5SJGOI4U","client_secret":"PL1j-l8chJjx7RI8xzvy2Pz-o7vBVHVUJkBuvShd9UnCXBwMh3rV5jj6sutzO3hF52t3dO6ZIfW-xoATds-r9Q","token_endpoint_auth_method":"client_secret_basic","expires_at":0,"client_name":"NO CLIENT NAME PROVIDED","redirect_uris":["https://op.certification.openid.net:60050/authz_cb"],"grant_types":["authorization_code"]}
0.947949 RegistrationResponse: {
"client_id": "_.dS5V4iR8mrI8Hscm5SJGOI4U",
"client_name": "NO CLIENT NAME PROVIDED",
"client_secret": "PL1j-l8chJjx7RI8xzvy2Pz-o7vBVHVUJkBuvShd9UnCXBwMh3rV5jj6sutzO3hF52t3dO6ZIfW-xoATds-r9Q",
"expires_at": 0,
"grant_types": [
"authorization_code"
],
"redirect_uris": [
"https://op.certification.openid.net:60050/authz_cb"
],
"token_endpoint_auth_method": "client_secret_basic"
}
0.949423 ------------ AuthorizationRequest ------------
0.949809 --> URL: https://gold.pinglabs.net/as/authorization.oauth2?scope=openid&state=F4m7C5oOe8HapLSp&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60050%2Fauthz_cb&response_type=code&client_id=_.dS5V4iR8mrI8Hscm5SJGOI4U
0.949816 --> BODY: None
53.908259 <-- state=F4m7C5oOe8HapLSp&code=y8b45gXVWOo4UhzssCm2OCMF7o8HlubsDbo5xIZeyPM
53.908563 AuthorizationResponse: {
"code": "y8b45gXVWOo4UhzssCm2OCMF7o8HlubsDbo5xIZeyPM",
"state": "F4m7C5oOe8HapLSp"
}
53.908913 ------------ AccessTokenRequest ------------
53.909267 --> URL: https://gold.pinglabs.net/as/token.oauth2
53.909273 --> BODY: code=y8b45gXVWOo4UhzssCm2OCMF7o8HlubsDbo5xIZeyPM&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60050%2Fauthz_cb
53.909285 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic Xy5kUzVWNGlSOG1ySThIc2NtNVNKR09JNFU6UEwxai1sOGNoSmp4N1JJOHh6dnkyUHotbzd2QlZIVlVKa0J1dlNoZDlVbkNYQndNaDNyVjVqajZzdXR6TzNoRjUydDNkTzZaSWZXLXhvQVRkcy1yOVE='}
54.249843 <-- STATUS: 200
54.249883 <-- BODY: {"token_type":"Bearer","expires_in":7200,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImRiOGJnIn0.eyJzdWIiOiJqYnJhZGxleSIsImF1ZCI6Il8uZFM1VjRpUjhtckk4SHNjbTVTSkdPSTRVIiwianRpIjoialEyNGFDcmIzaUczS2ZKd0FGck5DcCIsImlzcyI6Imh0dHBzOlwvXC9nb2xkLnBpbmdsYWJzLm5ldCIsImlhdCI6MTQyNjg1MjExMCwiZXhwIjoxNDI2ODUyNDEwLCJhdXRoX3RpbWUiOjE0MjY4NTE4MTN9.FBg_cD0cYZlFGKaC22-XlXas4-KEiS98dynrL5YmMvQSrEIgz1lJQCeehTHEhBTN4_yESzumn9IZTyAIAi9-i_6HcX-XyOiJSWL63dc-gkj6Ji9wYC67WyZJZvtf7zeKOyxAN3BRTL0vjQpXmYCRZbaY9Z7DWU013UmMALEUKqEu77sfQNVS8D2_7YPUmnQpDv_Frm7bWAHxhVQehCjQ8kha_ljbt74-_k4PQgHTNo5JdhkHhoXt6nEwgAxJ8-VWou1vEBK7l2TvB6cdD3TwVHdRmq2-YcoPLj87lwQ0J_fRPyLbTYBd4MKTWcjjRvzAhklcpMbE-D9Ubb5_oonFfw","access_token":"FfafDcYgpz6DG3KVcUuUP0GLWgWh"}
54.585431 AccessTokenResponse: {
"access_token": "FfafDcYgpz6DG3KVcUuUP0GLWgWh",
"expires_in": 7200,
"id_token": {
"claims": {
"aud": [
"_.dS5V4iR8mrI8Hscm5SJGOI4U"
],
"auth_time": 1426851813,
"exp": 1426852410,
"iat": 1426852110,
"iss": "https://gold.pinglabs.net",
"jti": "jQ24aCrb3iG3KfJwAFrNCp",
"sub": "jbradley"
},
"jws header parameters": {
"alg": "RS256",
"kid": "db8bg"
}
},
"token_type": "Bearer"
}
54.586582 ------------ AccessTokenRequest ------------
54.586907 --> URL: https://gold.pinglabs.net/as/token.oauth2
54.586915 --> BODY: code=y8b45gXVWOo4UhzssCm2OCMF7o8HlubsDbo5xIZeyPM&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60050%2Fauthz_cb
54.586926 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic Xy5kUzVWNGlSOG1ySThIc2NtNVNKR09JNFU6UEwxai1sOGNoSmp4N1JJOHh6dnkyUHotbzd2QlZIVlVKa0J1dlNoZDlVbkNYQndNaDNyVjVqajZzdXR6TzNoRjUydDNkTzZaSWZXLXhvQVRkcy1yOVE='}
55.016605 <-- STATUS: 400
55.016721 ErrorResponse: {
"error": "invalid_grant",
"error_description": "Authorization code is invalid or expired."
}
55.017825 ------------ UserInfoRequest ------------
55.018106 --> URL: https://gold.pinglabs.net/idp/userinfo.openid
55.018112 --> BODY: None
55.018121 --> HEADERS: {'Authorization': u'Bearer FfafDcYgpz6DG3KVcUuUP0GLWgWh'}
55.323885 <-- STATUS: 200
55.323961 Available verification keys: [(u'db8bn', u'EC'), (u'db8bm', u'EC'), (u'db8bl', u'EC'), (u'db8bk', u'RSA'), (u'db8bj', u'EC'), (u'db8bi', u'EC'), (u'db8bh', u'EC'), (u'db8bg', u'RSA'), (u'db8bf', u'EC'), (u'db8be', u'EC'), (u'db8bd', u'EC'), (u'db8bc', u'RSA')]
55.323989 Available decryption keys: [('a0', 'RSA'), ('a3', 'EC')]
55.324007 <-- BODY: {"sub":"jbradley"}
55.324427 UserInfo: {
"sub": "jbradley"
}
Result
FAILED
```
More information about the Openid-specs-ab
mailing list