[Openid-specs-ab] Issue #86: OP-IDToken-max_age=1000 (Requesting ID Token with max_age=1000 seconds Restriction) No indication of failure (openid/certification)

Edmund Jay issues-reply at bitbucket.org
Wed Mar 11 21:23:19 UTC 2015


New issue 86: OP-IDToken-max_age=1000 (Requesting ID Token with max_age=1000 seconds Restriction) No indication of failure
https://bitbucket.org/openid/certification/issue/86/op-idtoken-max_age-1000-requesting-id

Edmund Jay:

The test returns with an ID Token but there is no indication of why it failed. 
Could it possibly be due to clock skew?


```
#!text

Test info

Profile: {'profile': 'C', 'sub': 'sign and encrypt', 'register': True, 'discover': True, 'extra': False}
Test ID: OP-IDToken-max_age=1000
Issuer: https://connect.openid4.us
Test output


__RegistrationRequest:post__
[check]
	status: INFORMATION
	description: Registration Response
	info: {"client_id":"6XnuV-Pe7lYTa2lhcyA2oA","client_secret":"aYaqa6Gur1lKFg","registration_access_token":"uwMX7yjL0mTg8g","registration_client_uri":"https:\/\/connect.openid4.us\/abop\/op.php\/client\/eVA5oZUQbrIQ9wKArztpRw","client_id_issued_at":1426108953,"client_secret_expires_at":0,"registration_client_uri_path":"eVA5oZUQbrIQ9wKArztpRw","contacts":["roland.hedberg at umu.se"],"application_type":"web","redirect_uris":["https:\/\/op.certification.openid.net:60103\/authz_cb"],"post_logout_redirect_uris":["https:\/\/op.certification.openid.net:60103\/logout"],"jwks_uri":"https:\/\/op.certification.openid.net:60103\/export\/jwk_60103.json","subject_type":"pairwise","default_max_age":3600,"require_auth_time":true,"response_types":["code"],"grant_types":["authorization_code"]}
__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__RegistrationRequest:post__
[check]
	status: INFORMATION
	description: Registration Response
	info: {"client_id":"i6VAlseypbhc5ETTY5THQw","client_secret":"SSYSqoT4_R9bRA","registration_access_token":"NSXOOud1ZnUpAA","registration_client_uri":"https:\/\/connect.openid4.us\/abop\/op.php\/client\/SBHl67Yr6_kPKNGzMjmiKA","client_id_issued_at":1426108956,"client_secret_expires_at":0,"registration_client_uri_path":"SBHl67Yr6_kPKNGzMjmiKA","contacts":["roland.hedberg at umu.se"],"application_type":"web","redirect_uris":["https:\/\/op.certification.openid.net:60103\/authz_cb"],"post_logout_redirect_uris":["https:\/\/op.certification.openid.net:60103\/logout"],"jwks_uri":"https:\/\/op.certification.openid.net:60103\/export\/jwk_60103.json","subject_type":"pairwise","default_max_age":3600,"require_auth_time":true,"response_types":["code"],"grant_types":["authorization_code"]}
__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[check-http-response]
	status: OK
	description: Checks that the HTTP response status is within the 200 or 300 range
[claims-check]
	status: OK
	description: Checks if specific claims is present or not
[same-authn]
	status: ERROR
	description: Verifies that the same authentication was used twice in the flow.
	info: Not one authentication!
Trace output


0.000274 ------------ DiscoveryRequest ------------
0.000283 Provider info discover from 'https://connect.openid4.us'
0.000289 --> URL: https://connect.openid4.us/.well-known/openid-configuration
0.376830 ProviderConfigurationResponse: {
  "authorization_endpoint": "https://connect.openid4.us/abop/op.php/auth",
  "check_session_iframe": "https://connect.openid4.us/abop/opframe.php/1",
  "claim_types_supported": [
    "normal"
  ],
  "claims_locales_supported": [
    "en-US"
  ],
  "claims_parameter_supported": true,
  "claims_supported": [
    "name",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "preferred_username",
    "profile",
    "picture",
    "website",
    "email",
    "email_verified",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "phone_number_verified",
    "address",
    "updated_at"
  ],
  "display_values_supported": [
    "page"
  ],
  "end_session_endpoint": "https://connect.openid4.us/abop/op.php/endsession",
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP"
  ],
  "id_token_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512",
    "A128GCM",
    "A256GCM"
  ],
  "id_token_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "issuer": "https://connect.openid4.us",
  "jwks_uri": "https://connect.openid4.us/connect4us.jwk",
  "op_policy_uri": "https://connect.openid4.us/abop/op.php/op_policy",
  "op_tos_uri": "https://connect.openid4.us/abop/op.php/op_tos",
  "registration_endpoint": "https://connect.openid4.us/abop/op.php/registration",
  "request_object_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP"
  ],
  "request_object_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512",
    "A128GCM",
    "A256GCM"
  ],
  "request_object_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": false,
  "response_types_supported": [
    "code",
    "code token",
    "code id_token",
    "token",
    "token id_token",
    "code token id_token",
    "id_token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "address",
    "phone",
    "offline_access"
  ],
  "service_documentation": "https://connect.openid4.us/abop/op.php/servicedocs",
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "token_endpoint": "https://connect.openid4.us/abop/op.php/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "ui_locales_supported": [
    "en-US"
  ],
  "userinfo_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP"
  ],
  "userinfo_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512",
    "A128GCM",
    "A256GCM"
  ],
  "userinfo_endpoint": "https://connect.openid4.us/abop/op.php/userinfo",
  "userinfo_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "version": "3.0"
}
0.707993 JWKS: {
  "keys": [
    {
      "e": "AQAB",
      "kid": "ABOP-00",
      "kty": "RSA",
      "n": "tf_sB4M0sHearRLzz1q1JRgRdRnwk0lz-IcVDFlpp2dtDVyA-ZM8Tu1swp7upaTNykf7cp3Ne_6uW3JiKvRMDdNdvHWCzDHmbmZWGdnFF9Ve-D1cUxj4ETVpUM7AIXWbGs34fUNYl3Xzc4baSyvYbc3h6iz8AIdb_1bQLxJsHBi-ydg3NMJItgQJqBiwCmQYCOnJlekR-Ga2a5XlIx46Wsj3Pz0t0dzM8gVSU9fU3QrKKzDFCoFHTgig1YZNNW5W2H6QwANL5h-nbgre5sWmDmdnfiU6Pj5GOQDmp__rweinph8OAFNF6jVqrRZ3QJEmMnO42naWOsxV2FAUXafksQ"
    }
  ]
}
0.708765 ------------ RegistrationRequest ------------
0.709140 --> URL: https://connect.openid4.us/abop/op.php/registration
0.709147 --> BODY: {"subject_type": "pairwise", "jwks_uri": "https://op.certification.openid.net:60103/export/jwk_60103.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["authorization_code"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60103/logout"], "redirect_uris": ["https://op.certification.openid.net:60103/authz_cb"], "response_types": ["code"], "require_auth_time": true, "default_max_age": 3600}
0.709156 --> HEADERS: {'Content-type': 'application/json'}
1.123215 <-- STATUS: 200
1.123324 <-- BODY: {"client_id":"6XnuV-Pe7lYTa2lhcyA2oA","client_secret":"aYaqa6Gur1lKFg","registration_access_token":"uwMX7yjL0mTg8g","registration_client_uri":"https:\/\/connect.openid4.us\/abop\/op.php\/client\/eVA5oZUQbrIQ9wKArztpRw","client_id_issued_at":1426108953,"client_secret_expires_at":0,"registration_client_uri_path":"eVA5oZUQbrIQ9wKArztpRw","contacts":["roland.hedberg at umu.se"],"application_type":"web","redirect_uris":["https:\/\/op.certification.openid.net:60103\/authz_cb"],"post_logout_redirect_uris":["https:\/\/op.certification.openid.net:60103\/logout"],"jwks_uri":"https:\/\/op.certification.openid.net:60103\/export\/jwk_60103.json","subject_type":"pairwise","default_max_age":3600,"require_auth_time":true,"response_types":["code"],"grant_types":["authorization_code"]}
1.124063 RegistrationResponse: {
  "application_type": "web",
  "client_id": "6XnuV-Pe7lYTa2lhcyA2oA",
  "client_id_issued_at": 1426108953,
  "client_secret": "aYaqa6Gur1lKFg",
  "client_secret_expires_at": 0,
  "contacts": [
    "roland.hedberg at umu.se"
  ],
  "default_max_age": 3600,
  "grant_types": [
    "authorization_code"
  ],
  "jwks_uri": "https://op.certification.openid.net:60103/export/jwk_60103.json",
  "post_logout_redirect_uris": [
    "https://op.certification.openid.net:60103/logout"
  ],
  "redirect_uris": [
    "https://op.certification.openid.net:60103/authz_cb"
  ],
  "registration_access_token": "uwMX7yjL0mTg8g",
  "registration_client_uri": "https://connect.openid4.us/abop/op.php/client/eVA5oZUQbrIQ9wKArztpRw",
  "registration_client_uri_path": "eVA5oZUQbrIQ9wKArztpRw",
  "require_auth_time": true,
  "response_types": [
    "code"
  ],
  "subject_type": "pairwise"
}
1.125502 ------------ AuthorizationRequest ------------
1.125872 --> URL: https://connect.openid4.us/abop/op.php/auth?scope=openid&state=J9NithYD8Xyolau9&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60103%2Fauthz_cb&response_type=code&client_id=6XnuV-Pe7lYTa2lhcyA2oA
1.125879 --> BODY: None
3.214832 <-- state=J9NithYD8Xyolau9&session_state=6e8152b3ab987ebbe17fdfd9103540c098e49142e67fda8452f62c190a934c87.ccc48c9e22d8a69b8c06e006c09aa7a5&code=S5qy211A2squ2SV1FaT1eaBhraElUwWSUV7PpCzlAtI
3.215128 AuthorizationResponse: {
  "code": "S5qy211A2squ2SV1FaT1eaBhraElUwWSUV7PpCzlAtI",
  "session_state": "6e8152b3ab987ebbe17fdfd9103540c098e49142e67fda8452f62c190a934c87.ccc48c9e22d8a69b8c06e006c09aa7a5",
  "state": "J9NithYD8Xyolau9"
}
3.215445 ------------ AccessTokenRequest ------------
3.215751 --> URL: https://connect.openid4.us/abop/op.php/token
3.215758 --> BODY: code=S5qy211A2squ2SV1FaT1eaBhraElUwWSUV7PpCzlAtI&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60103%2Fauthz_cb
3.215768 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic NlhudVYtUGU3bFlUYTJsaGN5QTJvQTphWWFxYTZHdXIxbEtGZw=='}
3.637836 <-- STATUS: 200
3.637953 <-- BODY: {"access_token":"7U0k0hMQxgTtHe5OsliuSLKnlQ_k9y0bnjnhA6XOmVQ","token_type":"Bearer","expires_in":3600,"id_token":"eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOlwvXC9jb25uZWN0Lm9wZW5pZDQudXNcL2Nvbm5lY3Q0dXMuandrIiwia2lkIjoiQUJPUC0wMCJ9.eyJpc3MiOiJodHRwczpcL1wvY29ubmVjdC5vcGVuaWQ0LnVzIiwic3ViIjoiN2I2ZmQwM2NmODJhZGU3MzJiZmMzMWI3ZjA3N2QxNmMyN2VjMzUxODgzYWZlN2Y2ZjRkMzY1ZWY0NmU4MjZiMCIsImF1ZCI6WyI2WG51Vi1QZTdsWVRhMmxoY3lBMm9BIl0sImV4cCI6MTQyNjEwOTI1NSwiaWF0IjoxNDI2MTA4OTU1LCJhdXRoX3RpbWUiOjE0MjYxMDYxMzF9.TTI7Kul_QX1n28bl5BQCw9RMsjcO3VZ-zHV68N5mBJW8whzQz7tXr__Tn_sUsfvE0wfYQiLMe4izkY2rMlcnKvhuugWOgixe7zCNq5UA0an5R0y3x4f78cJj7utjCnR03Z_7s7tWGfD3b4Xj-SZR6lyXsTCggkogkLriT6E-3E82ebq-bN0vFTMr0iObtX_JDQyNvdzRTqKOnZY-bEkJCIgSQSknBkTmNTbxZ5tF289HoAofeENnZu-n3nh8dnoQ-JBbn97MRtbn6yv5V7abSJ-2PLRZ23Qfb2aXUfwSHTRLKKPEcB8twmRz6oM8vgiLdijiP5waonWaKVLNiYqdgg"}
3.950697 AccessTokenResponse: {
  "access_token": "7U0k0hMQxgTtHe5OsliuSLKnlQ_k9y0bnjnhA6XOmVQ",
  "expires_in": 3600,
  "id_token": {
    "aud": [
      "6XnuV-Pe7lYTa2lhcyA2oA"
    ],
    "auth_time": 1426106131,
    "exp": 1426109255,
    "iat": 1426108955,
    "iss": "https://connect.openid4.us",
    "sub": "7b6fd03cf82ade732bfc31b7f077d16c27ec351883afe7f6f4d365ef46e826b0"
  },
  "token_type": "Bearer"
}
3.951943 ------------ RegistrationRequest ------------
3.952296 --> URL: https://connect.openid4.us/abop/op.php/registration
3.952303 --> BODY: {"subject_type": "pairwise", "jwks_uri": "https://op.certification.openid.net:60103/export/jwk_60103.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["authorization_code"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60103/logout"], "redirect_uris": ["https://op.certification.openid.net:60103/authz_cb"], "response_types": ["code"], "require_auth_time": true, "default_max_age": 3600}
3.952312 --> HEADERS: {'Content-type': 'application/json'}
4.494822 <-- STATUS: 200
4.494928 <-- BODY: {"client_id":"i6VAlseypbhc5ETTY5THQw","client_secret":"SSYSqoT4_R9bRA","registration_access_token":"NSXOOud1ZnUpAA","registration_client_uri":"https:\/\/connect.openid4.us\/abop\/op.php\/client\/SBHl67Yr6_kPKNGzMjmiKA","client_id_issued_at":1426108956,"client_secret_expires_at":0,"registration_client_uri_path":"SBHl67Yr6_kPKNGzMjmiKA","contacts":["roland.hedberg at umu.se"],"application_type":"web","redirect_uris":["https:\/\/op.certification.openid.net:60103\/authz_cb"],"post_logout_redirect_uris":["https:\/\/op.certification.openid.net:60103\/logout"],"jwks_uri":"https:\/\/op.certification.openid.net:60103\/export\/jwk_60103.json","subject_type":"pairwise","default_max_age":3600,"require_auth_time":true,"response_types":["code"],"grant_types":["authorization_code"]}
4.495583 RegistrationResponse: {
  "application_type": "web",
  "client_id": "i6VAlseypbhc5ETTY5THQw",
  "client_id_issued_at": 1426108956,
  "client_secret": "SSYSqoT4_R9bRA",
  "client_secret_expires_at": 0,
  "contacts": [
    "roland.hedberg at umu.se"
  ],
  "default_max_age": 3600,
  "grant_types": [
    "authorization_code"
  ],
  "jwks_uri": "https://op.certification.openid.net:60103/export/jwk_60103.json",
  "post_logout_redirect_uris": [
    "https://op.certification.openid.net:60103/logout"
  ],
  "redirect_uris": [
    "https://op.certification.openid.net:60103/authz_cb"
  ],
  "registration_access_token": "NSXOOud1ZnUpAA",
  "registration_client_uri": "https://connect.openid4.us/abop/op.php/client/SBHl67Yr6_kPKNGzMjmiKA",
  "registration_client_uri_path": "SBHl67Yr6_kPKNGzMjmiKA",
  "require_auth_time": true,
  "response_types": [
    "code"
  ],
  "subject_type": "pairwise"
}
4.496978 ------------ AuthorizationRequest ------------
4.497336 --> URL: https://connect.openid4.us/abop/op.php/auth?max_age=1000&state=Lc26NxupLdaPjX1U&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60103%2Fauthz_cb&response_type=code&client_id=i6VAlseypbhc5ETTY5THQw&scope=openid
4.497343 --> BODY: None
7.974225 <-- state=Lc26NxupLdaPjX1U&session_state=d670790da729aacbdccc60f58acf6db72881336149c5392090d9ca012a8e9774.a99f6eac34e82dacb4fa2e0b5dd21f8c&code=JUTcRV89rto0b-eNvi_RV38HGSpEPg04qbOHJXwFFn8
7.974514 AuthorizationResponse: {
  "code": "JUTcRV89rto0b-eNvi_RV38HGSpEPg04qbOHJXwFFn8",
  "session_state": "d670790da729aacbdccc60f58acf6db72881336149c5392090d9ca012a8e9774.a99f6eac34e82dacb4fa2e0b5dd21f8c",
  "state": "Lc26NxupLdaPjX1U"
}
7.974824 ------------ AccessTokenRequest ------------
7.975125 --> URL: https://connect.openid4.us/abop/op.php/token
7.975131 --> BODY: code=JUTcRV89rto0b-eNvi_RV38HGSpEPg04qbOHJXwFFn8&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60103%2Fauthz_cb
7.975141 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic aTZWQWxzZXlwYmhjNUVUVFk1VEhRdzpTU1lTcW9UNF9SOWJSQQ=='}
8.383619 <-- STATUS: 200
8.383722 <-- BODY: {"access_token":"KudEDryGJnzQSsl5FEfT2l1GPJtP6FCwts3J5m8iQS4","token_type":"Bearer","expires_in":3600,"id_token":"eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOlwvXC9jb25uZWN0Lm9wZW5pZDQudXNcL2Nvbm5lY3Q0dXMuandrIiwia2lkIjoiQUJPUC0wMCJ9.eyJpc3MiOiJodHRwczpcL1wvY29ubmVjdC5vcGVuaWQ0LnVzIiwic3ViIjoiMWJiNmY0OGEzOTYzYWMzOTA3MjY5OTIxMGI1ZGU3OWFmYWVhMWJkZTQzM2E2NjhiYTI0N2UxZGUwNjNlNjc4YiIsImF1ZCI6WyJpNlZBbHNleXBiaGM1RVRUWTVUSFF3Il0sImV4cCI6MTQyNjEwOTI2MCwiaWF0IjoxNDI2MTA4OTYwLCJhdXRoX3RpbWUiOjE0MjYxMDg5NTh9.j9rlpu4Fz2V-g8pxxA8Fute4Mc3YOMH2qHu3uWqpQLi1J5q7PO3tMKOBd5ZqFDbdPNW0epWpoy4tTmIz6hnoBm4NeO444jOCWsqsxQZbRBhlwMqbUxAk_bZXA_pUaSSLGjWQ3STx6-uaA-KibiWmZ1AGqoGd-Z9NzelilqHQCRmatAkUijB0XLo2VSMCn7mrgHt-HORJiwo1pQpL2Z5EPxmRMMJQOW5mWETjls9G8FIjfwedX5nn_7tNJzGgqDinOzpPVjRrK_xLMD3E5BsUrSn2RWwxl95i4STWy8h9Q5GlYFIqrZ4DMSoNDZAYr4bt1wESyGoDHSHjmu_2M4bTEA"}
8.386425 AccessTokenResponse: {
  "access_token": "KudEDryGJnzQSsl5FEfT2l1GPJtP6FCwts3J5m8iQS4",
  "expires_in": 3600,
  "id_token": {
    "aud": [
      "i6VAlseypbhc5ETTY5THQw"
    ],
    "auth_time": 1426108958,
    "exp": 1426109260,
    "iat": 1426108960,
    "iss": "https://connect.openid4.us",
    "sub": "1bb6f48a3963ac39072699210b5de79afaea1bde433a668ba247e1de063e678b"
  },
  "token_type": "Bearer"
}
Result

FAILED

```




More information about the Openid-specs-ab mailing list