[Openid-specs-ab] Issue #71: Decoded ID Token header parameters not shown in log (openid/certification)

Michael Jones issues-reply at bitbucket.org
Wed Feb 25 22:05:31 UTC 2015


New issue 71: Decoded ID Token header parameters not shown in log
https://bitbucket.org/openid/certification/issue/71/decoded-id-token-header-parameters-not

Michael Jones:

While sometimes the decoded ID Token header parameters are contained in the log (prefixed by "IdToken JWT header"), other times they are not.  See the log entry below, which is for the test OP-Response-id_token+token at https://op.certification.openid.net:60708/, in which they are not shown.

I suggest changing the routine that prints ID Tokens (the one that emits '"id_token": {' ...) so that it always outputs both parts.  So I'd change the output to look like:

~~~~
"id_token": {
  header parameters: {
    "alg":"RS256",
    ....
  }
  claims: {
    "iss": ...
  }
}
~~~~

~~~~
Test info
Profile: {'profile': 'IT', 'sub': 'sign', 'register': False, 'discover': True, 'extra': False}
Test ID: OP-Response-id_token+token
Issuer: https://stsadweb.one.microsoft.com/adfs

--------------------------------------------------------------------------------

Test output

__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[check-http-response]
	status: OK
	description: Checks that the HTTP response status is within the 200 or 300 range


--------------------------------------------------------------------------------

Trace output

0.000279 ------------ DiscoveryRequest ------------
0.000289 Provider info discover from 'https://stsadweb.one.microsoft.com/adfs'
0.000295 --> URL: https://stsadweb.one.microsoft.com/adfs/.well-known/openid-configuration
0.480749 ProviderConfigurationResponse: {
  "access_token_issuer": "http://stsadweb.one.microsoft.com/adfs/services/trust",
  "authorization_endpoint": "https://stsadweb.one.microsoft.com/adfs/oauth2/authorize/",
  "claims_parameter_supported": false,
  "claims_supported": [
    "aud",
    "iss",
    "iat",
    "exp",
    "auth_time",
    "nonce",
    "at_hash",
    "c_hash",
    "sub",
    "upn",
    "unique_name",
    "pwd_url",
    "pwd_exp",
    "ver"
  ],
  "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "implicit",
    "password"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "issuer": "https://stsadweb.one.microsoft.com/adfs",
  "jwks_uri": "https://stsadweb.one.microsoft.com/adfs/discovery/keys",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "token id_token"
  ],
  "scopes_supported": [
    "user_impersonation",
    "full_access",
    "logon_cert",
    "profile",
    "email",
    "vpn_cert",
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "token_endpoint": "https://stsadweb.one.microsoft.com/adfs/oauth2/token/",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "windows_client_authentication"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256"
  ],
  "version": "3.0",
  "webfinger_endpoint": "https://stsadweb.one.microsoft.com/adfs/.well-known/webfinger"
}
0.965558 JWKS: {
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "f-5GWKyaV6fDdnKB7A3b0llXZ0E",
      "kty": "RSA",
      "n": "ygUNL9XXanKy_fQ1X0SMt9LRKpH3Xup1lk5mivaw7thYRPrkGArJezV4x-hfk3Rm9qv6ikBGnTW0lI8FqotLcXmvIBqtbIDfSh59uts1r0QLRUVKS_2OL_Ia8KL56VHhG7fnjH9-rLE8Exksnb3f6y0dkF2VhU2-ED5fhpHbHZi7kCv7jt1xgsk7xrM1WpQNBP3xq15BfMu83TgUKT21HP-E7O9hEFFJ1M0BJg0uZNxNUauLhbwd05dqB-k2Nmr6XUnEQlW0nU9BJvWSs0xruyirHKbOCllEVopZ2vyc1z7_YWPcxDXFx2q52f0_mh74mafkE-Xi5Njk0dkH4OqGaQ",
      "use": "sig",
      "x5c": [
        "MIIFrjCCBJagAwIBAgIKEzgGLwABAACESDANBgkqhkiG9w0BAQUFADCBgDETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIGCgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMR8wHQYDVQQDExZNU0lUIE1hY2hpbmUgQXV0aCBDQSAyMB4XDTEzMDcwODIzMDg1OVoXDTE1MDcwODIzMDg1OVowLDEqMCgGA1UEAxMhYWRmYWJzdHMubnRkZXYuY29ycC5taWNyb3NvZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAygUNL9XXanKy/fQ1X0SMt9LRKpH3Xup1lk5mivaw7thYRPrkGArJezV4x+hfk3Rm9qv6ikBGnTW0lI8FqotLcXmvIBqtbIDfSh59uts1r0QLRUVKS/2OL/Ia8KL56VHhG7fnjH9+rLE8Exksnb3f6y0dkF2VhU2+ED5fhpHbHZi7kCv7jt1xgsk7xrM1WpQNBP3xq15BfMu83TgUKT21HP+E7O9hEFFJ1M0BJg0uZNxNUauLhbwd05dqB+k2Nmr6XUnEQlW0nU9BJvWSs0xruyirHKbOCllEVopZ2vyc1z7/YWPcxDXFx2q52f0/mh74mafkE+Xi5Njk0dkH4OqGaQIDAQABo4ICezCCAncwHQYDVR0OBBYEFAZ6r4tyv+5oQy8EAL2meCItzDKuMAsGA1UdDwQEAwIEsDAfBgNVHSMEGDAWgBTr2xFe+Ame2NZinP1ineOESijhJzCB7gYDVR0fBIHmMIHjMIHgoIHdoIHahk9odHRwOi8vbXNjcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NU0lUJTIwTWFjaGluZSUyMEF1dGglMjBDQSUyMDIoMSkuY3Jshk1od
 HRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTVNJVCUyME1hY2hpbmUlMjBBdXRoJTIwQ0ElMjAyKDEpLmNybIY4aHR0cDovL2NvcnBwa2kvY3JsL01TSVQlMjBNYWNoaW5lJTIwQXV0aCUyMENBJTIwMigxKS5jcmwwga0GCCsGAQUFBwEBBIGgMIGdMFUGCCsGAQUFBzAChklodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9NU0lUJTIwTWFjaGluZSUyMEF1dGglMjBDQSUyMDIoMSkuY3J0MEQGCCsGAQUFBzAChjhodHRwOi8vY29ycHBraS9haWEvTVNJVCUyME1hY2hpbmUlMjBBdXRoJTIwQ0ElMjAyKDEpLmNydDA/BgkrBgEEAYI3FQcEMjAwBigrBgEEAYI3FQiDz4lNrfIChaGfDIL6yn2B4ft0gU+Dwu2FCI6p0oVjAgFkAgEKMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQBSd/ptSwm7fEcmlnxvD1/qPxdau02/A1aaLyt6Fbrf+265GW25y5xDXK/Ui2E7OiE54V5K4K6zueDMJXcT3ebTU7mkd1CCkRiF3+cHnbFugy+nMdtigHHC1HbXxK9emcEMoq42wd4egASbhl38cNlIGVJWSo/jP3mob8p+n8+zgrAwl2tV8cVGroPbgc83PnANCqAuaK4fSE77C5mIzRF0KTqOaPrruezO7MEpnaGldTpeKlfip4xCksMiU5gZvn7obWn9PU20vG54SgteLKJSHr6ytwry7ysLmNU0A5q9pSq+cw55Ogo89VMHNBoBsMsI6rVeX5R17tWgKSdHohwX"
      ],
      "x5t": "f-5GWKyaV6fDdnKB7A3b0llXZ0E"
    }
  ]
}
0.966332 ------------ AuthorizationRequest ------------
0.966757 --> URL: https://stsadweb.one.microsoft.com/adfs/oauth2/authorize/?nonce=X5zNwZdotJJF&resource=http%3A%2F%2Fwww.microsoftshouldfixthisbug.com%2F&state=C7oJVn7SuAeZ7jAr&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60708%2Fauthz_cb&response_type=id_token+token&client_id=OICTest3&scope=openid
0.966765 --> BODY: None
2.005687 <-- access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImYtNUdXS3lhVjZmRGRuS0I3QTNiMGxsWFowRSJ9.eyJhdWQiOiJodHRwOi8vd3d3Lm1pY3Jvc29mdHNob3VsZGZpeHRoaXNidWcuY29tLyIsImlzcyI6Imh0dHA6Ly9zdHNhZHdlYi5vbmUubWljcm9zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxNDI0OTAwNzYzLCJleHAiOjE0MjQ5MDQzNjMsImFuY2hvciI6InVwbiIsInVwbiI6InRlc3RVc2VyNEB2ZW5kb3JzLmNvbnRvc28uY29tIiwidW5pcXVlX25hbWUiOiJ0ZXN0VXNlcjRAdmVuZG9ycy5jb250b3NvLmNvbSIsImdpdmVuX25hbWUiOiJ0ZXN0VXNlciIsImF1dGhtZXRob2QiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydCIsImF1dGhfdGltZSI6IjIwMTUtMDItMjVUMjE6NDA6MzMuNzA3WiIsImFtciI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwiYXBwaWQiOiJPSUNUZXN0MyIsImFwcHR5cGUiOiJQdWJsaWMiLCJjbGllbnR1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoY29tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNi4wKSIsImVuZHBvaW50cGF0aCI6Ii9hZGZzL29hdXRoMi9hdXRob3JpemUvIiwiaW5zaWRlY29ycG5ldHdvcmsiOiJ0cnV
 lIiwiY2xpZW50cmVxaWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMTkwMC0wMDgwMDAwMDAwYjMiLCJjbGllbnRpcCI6IjEwLjI0OC4xMi41MiIsInVzZXJpcCI6IjEwLjI0OC4xMi41MiIsInZlciI6IjEuMCIsInNjcCI6Im9wZW5pZCJ9.yGX_P0PLt-ZgXh9kKf5htVoPdR9MjPtKKvuj00OPlJ8CXpBpt-XgByo8Qi4T9hye5z3gD5SDmjS5Sbao23k623APuHQJPERN-kzZM8n4oX9Pu2rXmmgprSUvXe7Da8sQpuyQa0WuH-rZ8poSJ3BuWddyTPNJC5mCX6isrvyUPPGs_T4ZhzI8aucfvtxtm6JGgwGsfGqvx0nij5JtOUyjRCknlYKzzq2Lfz182jNq5bG7RwAdSD3VoTP3KqAuuPyJzV7r-Cy0mChTikHffxD_mebqrAw0_tbgZZ2RUDemXNBwqeRLXlzTXFfX5X-ciilB1KnBsgO39gRtr1Su4weX5A&token_type=bearer&expires_in=3600&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImYtNUdXS3lhVjZmRGRuS0I3QTNiMGxsWFowRSIsImtpZCI6ImYtNUdXS3lhVjZmRGRuS0I3QTNiMGxsWFowRSJ9.eyJhdWQiOiJPSUNUZXN0MyIsImlzcyI6Imh0dHBzOi8vc3RzYWR3ZWIub25lLm1pY3Jvc29mdC5jb20vYWRmcyIsImlhdCI6MTQyNDkwMDc2MywiZXhwIjoxNDI0OTA0MzYzLCJhdXRoX3RpbWUiOiIxNDI0OTAwNDMzIiwibm9uY2UiOiJYNXpOd1pkb3RKSkYiLCJzdWIiOiJzM2pSTUMvTVlGc2RaYWl1UUxvOXY1UDREbHNkUHlvZTBEMmN5MXUxL2drPSIsInVwbiI6InRlc3RVc2VyNEB2
 ZW5kb3JzLmNvbnRvc28uY29tIiwidW5pcXVlX25hbWUiOiJ0ZXN0VXNlcjRAdmVuZG9ycy5jb250b3NvLmNvbSIsInB3ZF91cmwiOiJodHRwczovL3N0c2Fkd2ViLm9uZS5taWNyb3NvZnQuY29tL2FkZnMvcG9ydGFsL3VwZGF0ZXBhc3N3b3JkLyIsInZlciI6IjEuMCIsImF0X2hhc2giOiJUdHMwc3Fza0xHWUNzNnl6X2dJUGtRIn0.DwUOZcJ4E98aFnoiaZQIWGD-MD0U8ogfcXfWhln_Et13Wo5Z_53bvsMwzpZTrOZsZMzmTty_7MaMtgvkeqj2K5XPrBhTDbMNGPz_2YD7m3R7wrQLA5VGUZzwCFfH55WyjXwoSAvZGBwm4jsMAR54KMRvgiug_gDXILjdzyN_zxvscO8dAaWaNXV_wzS2Y6ze1wAWJBBDl1JkBbRlAc_LcnQ34ihIss9Y7PmsP8XIdnpC0yFp17gYl5VSBGlDEqAY7h9o9VDDAq22MSZ113f34w5Z0dvyUIWJxXH7kXYAItWFH_n98WjVa8Qgx-oaNbWL5sITG0qHRyjT5elA04oUyg&scope=openid&state=C7oJVn7SuAeZ7jAr
2.489419 AuthorizationResponse: {
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImYtNUdXS3lhVjZmRGRuS0I3QTNiMGxsWFowRSJ9.eyJhdWQiOiJodHRwOi8vd3d3Lm1pY3Jvc29mdHNob3VsZGZpeHRoaXNidWcuY29tLyIsImlzcyI6Imh0dHA6Ly9zdHNhZHdlYi5vbmUubWljcm9zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxNDI0OTAwNzYzLCJleHAiOjE0MjQ5MDQzNjMsImFuY2hvciI6InVwbiIsInVwbiI6InRlc3RVc2VyNEB2ZW5kb3JzLmNvbnRvc28uY29tIiwidW5pcXVlX25hbWUiOiJ0ZXN0VXNlcjRAdmVuZG9ycy5jb250b3NvLmNvbSIsImdpdmVuX25hbWUiOiJ0ZXN0VXNlciIsImF1dGhtZXRob2QiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydCIsImF1dGhfdGltZSI6IjIwMTUtMDItMjVUMjE6NDA6MzMuNzA3WiIsImFtciI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwiYXBwaWQiOiJPSUNUZXN0MyIsImFwcHR5cGUiOiJQdWJsaWMiLCJjbGllbnR1c2VyYWdlbnQiOiJNb3ppbGxhLzUuMCAoY29tcGF0aWJsZTsgTVNJRSAxMC4wOyBXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNi4wKSIsImVuZHBvaW50cGF0aCI6Ii9hZGZzL29hdXRoMi9hdXRob3JpemUvIiwiaW5zaWRlY29ycG5ldHdvcmsiOiJ0cnVlIiwiY2
 xpZW50cmVxaWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMTkwMC0wMDgwMDAwMDAwYjMiLCJjbGllbnRpcCI6IjEwLjI0OC4xMi41MiIsInVzZXJpcCI6IjEwLjI0OC4xMi41MiIsInZlciI6IjEuMCIsInNjcCI6Im9wZW5pZCJ9.yGX_P0PLt-ZgXh9kKf5htVoPdR9MjPtKKvuj00OPlJ8CXpBpt-XgByo8Qi4T9hye5z3gD5SDmjS5Sbao23k623APuHQJPERN-kzZM8n4oX9Pu2rXmmgprSUvXe7Da8sQpuyQa0WuH-rZ8poSJ3BuWddyTPNJC5mCX6isrvyUPPGs_T4ZhzI8aucfvtxtm6JGgwGsfGqvx0nij5JtOUyjRCknlYKzzq2Lfz182jNq5bG7RwAdSD3VoTP3KqAuuPyJzV7r-Cy0mChTikHffxD_mebqrAw0_tbgZZ2RUDemXNBwqeRLXlzTXFfX5X-ciilB1KnBsgO39gRtr1Su4weX5A",
  "expires_in": 3600,
  "id_token": {
    "at_hash": "Tts0sqskLGYCs6yz_gIPkQ",
    "aud": [
      "OICTest3"
    ],
    "auth_time": "1424900433",
    "exp": 1424904363,
    "iat": 1424900763,
    "iss": "https://stsadweb.one.microsoft.com/adfs",
    "nonce": "X5zNwZdotJJF",
    "pwd_url": "https://stsadweb.one.microsoft.com/adfs/portal/updatepassword/",
    "sub": "s3jRMC/MYFsdZaiuQLo9v5P4DlsdPyoe0D2cy1u1/gk=",
    "unique_name": "testUser4 at vendors.contoso.com",
    "upn": "testUser4 at vendors.contoso.com",
    "ver": "1.0"
  },
  "scope": "openid",
  "state": "C7oJVn7SuAeZ7jAr",
  "token_type": "bearer"
}


--------------------------------------------------------------------------------

Result
PASSED      
~~~~


Responsible: Rohe


More information about the Openid-specs-ab mailing list