[Openid-specs-ab] Issue #85: OP-IDToken-RS256 (Asymmetric ID Token signature with rs256) Incorrect result displayed (openid/certification)

Edmund Jay issues-reply at bitbucket.org
Wed Mar 11 20:29:51 UTC 2015


New issue 85: OP-IDToken-RS256 (Asymmetric ID Token signature with rs256) Incorrect result displayed
https://bitbucket.org/openid/certification/issue/85/op-idtoken-rs256-asymmetric-id-token

Edmund Jay:

The test logs shows the test as failed but the UI shows a failure.


```
#!text

Test info

Profile: {'profile': 'C', 'sub': 'none', 'register': True, 'discover': True, 'extra': False}
Test ID: OP-IDToken-RS256
Issuer: https://connect.openid4.us
Test output


__RegistrationRequest:post__
[check]
	status: INFORMATION
	description: Registration Response
	info: {"client_id":"JzAr4YjSyFJlSoXWIJQpDQ","client_secret":"UagA8726wybUfw","registration_access_token":"GCsbX2AqwtEgkQ","registration_client_uri":"https:\/\/connect.openid4.us\/abop\/op.php\/client\/1KHwDFYPk50m7GyWoL58og","client_id_issued_at":1426104582,"client_secret_expires_at":0,"registration_client_uri_path":"1KHwDFYPk50m7GyWoL58og","contacts":["roland.hedberg at umu.se"],"application_type":"web","redirect_uris":["https:\/\/op.certification.openid.net:60103\/authz_cb"],"post_logout_redirect_uris":["https:\/\/op.certification.openid.net:60103\/logout"],"jwks_uri":"https:\/\/op.certification.openid.net:60103\/export\/jwk_60103.json","subject_type":"pairwise","id_token_signed_response_alg":"RS256","default_max_age":3600,"require_auth_time":true,"response_types":["code"],"grant_types":["authorization_code"]}
__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[verify-idtoken-is-signed]
	status: OK
	description: Verifies that an IdToken is signed
	info: Signature algorithm='RS256'
[verify-authn-response]
	status: ERROR
	description: Checks that the last response was a JSON encoded authentication message
	info: Expected an authorization response
Trace output


0.000286 ------------ DiscoveryRequest ------------
0.000295 Provider info discover from 'https://connect.openid4.us'
0.000301 --> URL: https://connect.openid4.us/.well-known/openid-configuration
0.381925 ProviderConfigurationResponse: {
  "authorization_endpoint": "https://connect.openid4.us/abop/op.php/auth",
  "check_session_iframe": "https://connect.openid4.us/abop/opframe.php/1",
  "claim_types_supported": [
    "normal"
  ],
  "claims_locales_supported": [
    "en-US"
  ],
  "claims_parameter_supported": true,
  "claims_supported": [
    "name",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "preferred_username",
    "profile",
    "picture",
    "website",
    "email",
    "email_verified",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "phone_number_verified",
    "address",
    "updated_at"
  ],
  "display_values_supported": [
    "page"
  ],
  "end_session_endpoint": "https://connect.openid4.us/abop/op.php/endsession",
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP"
  ],
  "id_token_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512",
    "A128GCM",
    "A256GCM"
  ],
  "id_token_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "issuer": "https://connect.openid4.us",
  "jwks_uri": "https://connect.openid4.us/connect4us.jwk",
  "op_policy_uri": "https://connect.openid4.us/abop/op.php/op_policy",
  "op_tos_uri": "https://connect.openid4.us/abop/op.php/op_tos",
  "registration_endpoint": "https://connect.openid4.us/abop/op.php/registration",
  "request_object_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP"
  ],
  "request_object_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512",
    "A128GCM",
    "A256GCM"
  ],
  "request_object_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": false,
  "response_types_supported": [
    "code",
    "code token",
    "code id_token",
    "token",
    "token id_token",
    "code token id_token",
    "id_token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "address",
    "phone",
    "offline_access"
  ],
  "service_documentation": "https://connect.openid4.us/abop/op.php/servicedocs",
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "token_endpoint": "https://connect.openid4.us/abop/op.php/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "ui_locales_supported": [
    "en-US"
  ],
  "userinfo_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP"
  ],
  "userinfo_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512",
    "A128GCM",
    "A256GCM"
  ],
  "userinfo_endpoint": "https://connect.openid4.us/abop/op.php/userinfo",
  "userinfo_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "version": "3.0"
}
0.698602 JWKS: {
  "keys": [
    {
      "e": "AQAB",
      "kid": "ABOP-00",
      "kty": "RSA",
      "n": "tf_sB4M0sHearRLzz1q1JRgRdRnwk0lz-IcVDFlpp2dtDVyA-ZM8Tu1swp7upaTNykf7cp3Ne_6uW3JiKvRMDdNdvHWCzDHmbmZWGdnFF9Ve-D1cUxj4ETVpUM7AIXWbGs34fUNYl3Xzc4baSyvYbc3h6iz8AIdb_1bQLxJsHBi-ydg3NMJItgQJqBiwCmQYCOnJlekR-Ga2a5XlIx46Wsj3Pz0t0dzM8gVSU9fU3QrKKzDFCoFHTgig1YZNNW5W2H6QwANL5h-nbgre5sWmDmdnfiU6Pj5GOQDmp__rweinph8OAFNF6jVqrRZ3QJEmMnO42naWOsxV2FAUXafksQ"
    }
  ]
}
0.700255 ------------ RegistrationRequest ------------
0.700645 --> URL: https://connect.openid4.us/abop/op.php/registration
0.700652 --> BODY: {"subject_type": "pairwise", "jwks_uri": "https://op.certification.openid.net:60103/export/jwk_60103.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["authorization_code"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60103/logout"], "redirect_uris": ["https://op.certification.openid.net:60103/authz_cb"], "response_types": ["code"], "require_auth_time": true, "default_max_age": 3600, "id_token_signed_response_alg": "RS256"}
0.700661 --> HEADERS: {'Content-type': 'application/json'}
1.146476 <-- STATUS: 200
1.146580 <-- BODY: {"client_id":"JzAr4YjSyFJlSoXWIJQpDQ","client_secret":"UagA8726wybUfw","registration_access_token":"GCsbX2AqwtEgkQ","registration_client_uri":"https:\/\/connect.openid4.us\/abop\/op.php\/client\/1KHwDFYPk50m7GyWoL58og","client_id_issued_at":1426104582,"client_secret_expires_at":0,"registration_client_uri_path":"1KHwDFYPk50m7GyWoL58og","contacts":["roland.hedberg at umu.se"],"application_type":"web","redirect_uris":["https:\/\/op.certification.openid.net:60103\/authz_cb"],"post_logout_redirect_uris":["https:\/\/op.certification.openid.net:60103\/logout"],"jwks_uri":"https:\/\/op.certification.openid.net:60103\/export\/jwk_60103.json","subject_type":"pairwise","id_token_signed_response_alg":"RS256","default_max_age":3600,"require_auth_time":true,"response_types":["code"],"grant_types":["authorization_code"]}
1.147303 RegistrationResponse: {
  "application_type": "web",
  "client_id": "JzAr4YjSyFJlSoXWIJQpDQ",
  "client_id_issued_at": 1426104582,
  "client_secret": "UagA8726wybUfw",
  "client_secret_expires_at": 0,
  "contacts": [
    "roland.hedberg at umu.se"
  ],
  "default_max_age": 3600,
  "grant_types": [
    "authorization_code"
  ],
  "id_token_signed_response_alg": "RS256",
  "jwks_uri": "https://op.certification.openid.net:60103/export/jwk_60103.json",
  "post_logout_redirect_uris": [
    "https://op.certification.openid.net:60103/logout"
  ],
  "redirect_uris": [
    "https://op.certification.openid.net:60103/authz_cb"
  ],
  "registration_access_token": "GCsbX2AqwtEgkQ",
  "registration_client_uri": "https://connect.openid4.us/abop/op.php/client/1KHwDFYPk50m7GyWoL58og",
  "registration_client_uri_path": "1KHwDFYPk50m7GyWoL58og",
  "require_auth_time": true,
  "response_types": [
    "code"
  ],
  "subject_type": "pairwise"
}
1.148750 ------------ AuthorizationRequest ------------
1.149139 --> URL: https://connect.openid4.us/abop/op.php/auth?scope=openid&state=LbAY7BJEr5iKyvso&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60103%2Fauthz_cb&response_type=code&client_id=JzAr4YjSyFJlSoXWIJQpDQ
1.149146 --> BODY: None
3.238017 <-- state=LbAY7BJEr5iKyvso&session_state=e66b9bef562284b3fdb134f69a469e4078ee1533719152451f117d7d10ec796a.3ce628e402ee462065a199ea3cb1b99b&code=SNrML5vOiLdpGxQ3s1SE9ou3KGV1v5Rb1eyejrBGFxQ
3.238310 AuthorizationResponse: {
  "code": "SNrML5vOiLdpGxQ3s1SE9ou3KGV1v5Rb1eyejrBGFxQ",
  "session_state": "e66b9bef562284b3fdb134f69a469e4078ee1533719152451f117d7d10ec796a.3ce628e402ee462065a199ea3cb1b99b",
  "state": "LbAY7BJEr5iKyvso"
}
3.238620 ------------ AccessTokenRequest ------------
3.238945 --> URL: https://connect.openid4.us/abop/op.php/token
3.238951 --> BODY: code=SNrML5vOiLdpGxQ3s1SE9ou3KGV1v5Rb1eyejrBGFxQ&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60103%2Fauthz_cb
3.238961 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic SnpBcjRZalN5RkpsU29YV0lKUXBEUTpVYWdBODcyNnd5YlVmdw=='}
3.679087 <-- STATUS: 200
3.679204 <-- BODY: {"access_token":"_dv4-FqaBmz7wCz_lB2FRFcV3cviGFBzhTFONZxG61c","token_type":"Bearer","expires_in":3600,"id_token":"eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOlwvXC9jb25uZWN0Lm9wZW5pZDQudXNcL2Nvbm5lY3Q0dXMuandrIiwia2lkIjoiQUJPUC0wMCJ9.eyJpc3MiOiJodHRwczpcL1wvY29ubmVjdC5vcGVuaWQ0LnVzIiwic3ViIjoiNjZkZmI1YjVmYTAyMTMxZTI3ZjVjZDEyMDQzNjRlZTk2NDA1NDBhMGNjZDFjZmY4Y2MwNjA3Y2YzYWE0NWE1ZCIsImF1ZCI6WyJKekFyNFlqU3lGSmxTb1hXSUpRcERRIl0sImV4cCI6MTQyNjEwNDg4NCwiaWF0IjoxNDI2MTA0NTg0LCJhdXRoX3RpbWUiOjE0MjYxMDQ0NjV9.atcLyiGjiyCemesfrGDohsEWPYaq5UYcq0XNTVwsyuYV1udodmLSWeI9oTja6SgitVV587zxyFnVOCjI5fLtqQgYI01GURKEsOFO5xupEy1nNe9O6mkGPtKznttwRbjjrZShZz-N3Bi9E8hAgIKa7hlm1NRqFtyA4virIHbuDeID_Olsl9gLFF7VvBuud0cMLQIS-UQMyKkFEx7bPpleMGHG7jnqypoF2cpQU8NI4JYsM9oRX-CWQoACfWUk3MBlzwImDzrCxc67XVibbgdqFjxuVs5nm4n9ijJGmc4L0bKbHWn434kju0lX8fCrlj4d5c-1-jzpw7JFZbuFXIqUuw"}
4.008406 AccessTokenResponse: {
  "access_token": "_dv4-FqaBmz7wCz_lB2FRFcV3cviGFBzhTFONZxG61c",
  "expires_in": 3600,
  "id_token": {
    "aud": [
      "JzAr4YjSyFJlSoXWIJQpDQ"
    ],
    "auth_time": 1426104465,
    "exp": 1426104884,
    "iat": 1426104584,
    "iss": "https://connect.openid4.us",
    "sub": "66dfb5b5fa02131e27f5cd1204364ee9640540a0ccd1cff8cc0607cf3aa45a5d"
  },
  "token_type": "Bearer"
}
Result

PASSED
```




More information about the Openid-specs-ab mailing list