[Openid-specs-ab] Issue #183: The WWW-Authenticate Response Header at the request to userinfo is not parsed (openid/certification)

Sun Nov 1 03:56:23 UTC 2015

New issue 183: The WWW-Authenticate Response Header at the request to userinfo is not parsed
https://bitbucket.org/openid/certification/issues/183/the-www-authenticate-response-header-at

Ryo Ito:

As a result of `Test ID: OP-OAuth-2nd-Revokes`, I got following warning.

    Test output

    __AuthorizationRequest:pre__
    [check-response-type]
    	status: OK
    	description: Checks that the asked for response type are among the supported
    [check-endpoint]
    	status: OK
    	description: Checks that the necessary endpoint exists at a server
    [-]
    	status: WARNING
    	info: Missing Error Response
    __X:==== END ====__

    12.945397 ------------ UserInfoRequest ------------
    12.945735 --> URL: https://idp.openidconnect.info/userinfo
    12.945742 --> BODY: None
    12.945754 --> HEADERS: {'Authorization': u'Bearer eyJhbGciOiJIUzI1NiJ9.eyJhdXRoX2lkIjo3LCJleHBpcmVkX29uIjoxNDQ2Mzk4NTIwfQ.iaqWgjA6yrh7_vw84taCVe_uzQGd2lJ5T3bCSFfRyxc'}
    14.019021 <-- STATUS: 401

For userInfo request using revoked access token, my op returns an error response using "WWW-Authenticate" header.

    $ curl -i -H "Authorization: Bearer invalid_access_token" https://idp.openidconnect.info/userinfo
    HTTP/1.1 401 Unauthorized
    Server: nginx/1.4.6 (Ubuntu)
    Date: Sun, 01 Nov 2015 03:48:55 GMT
    Content-Length: 0
    Connection: keep-alive
    WWW-Authenticate: Bearer error="invalid_token"

Does not test tool parse "WWW-Authenticate" header?