[Openid-specs-ab] Issue #97: Test OP-request_uri-Unsigned not treating legal error code request_uri_not_supported as a success condition when not testing Dynamic profile (openid/certification)

Michael Jones issues-reply at bitbucket.org
Tue Mar 17 00:32:57 UTC 2015


New issue 97: Test OP-request_uri-Unsigned not treating legal error code request_uri_not_supported as a success condition when not testing Dynamic profile
https://bitbucket.org/openid/certification/issue/97/test-op-request_uri-unsigned-not-treating

Michael Jones:

As allowed by http://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter, the configuration https://op.certification.openid.net:60708/ is returning the error request_uri_not_supported.  The tests need to recognize this error code and treat it as a success condition unless testing the Dynamic profile, in which full support for request_uri is required, per http://openid.net/specs/openid-connect-core-1_0.html#DynamicMTI.

You should probably add a separate test for the Dynamic profile case, in which returning request_uri_not_supported *is* treated as an error.  Maybe call that one OP-request_uri-Unsigned-Dynamic.  And only trigger the current test in the static registration case.

The log follows:

Test info
Profile: {'openid-configuration': 'config', 'response_type': 'id_token+token', 'crypto': 'sign', 'registration': 'static'}
Test description: Support request_uri request parameter with unsigned request [Basic, Implicit, Hybrid, Dynamic]
Test ID: OP-request_uri-Unsigned
Issuer: https://stsadweb.one.microsoft.com/adfs
________________________________________
Test output

__AuthorizationRequest:pre__
[check-response-type]
        status: OK
        description: Checks that the asked for response type are among the supported
[check-endpoint]
        status: OK
        description: Checks that the necessary endpoint exists at a server
[-]
        status: ERROR
        info: request_uri_not_supported
________________________________________
Trace output

0.000290 ------------ DiscoveryRequest ------------
0.000301 Provider info discover from 'https://stsadweb.one.microsoft.com/adfs'
0.000307 --> URL: https://stsadweb.one.microsoft.com/adfs/.well-known/openid-configuration
0.452911 ProviderConfigurationResponse: {
  "access_token_issuer": "http://stsadweb.one.microsoft.com/adfs/services/trust",
  "authorization_endpoint": "https://stsadweb.one.microsoft.com/adfs/oauth2/authorize/",
  "claims_parameter_supported": false,
  "claims_supported": [
    "aud",
    "iss",
    "iat",
    "exp",
    "auth_time",
    "nonce",
    "at_hash",
    "c_hash",
    "sub",
    "upn",
    "unique_name",
    "pwd_url",
    "pwd_exp",
    "ver"
  ],
  "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "implicit",
    "password"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "issuer": "https://stsadweb.one.microsoft.com/adfs",
  "jwks_uri": "https://stsadweb.one.microsoft.com/adfs/discovery/keys",
  "request_parameter_supported": false,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "token id_token"
  ],
  "scopes_supported": [
    "user_impersonation",
    "full_access",
    "logon_cert",
    "vpn_cert",
    "email",
    "openid",
    "aza",
    "profile"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "token_endpoint": "https://stsadweb.one.microsoft.com/adfs/oauth2/token/",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "windows_client_authentication"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256"
  ],
  "version": "3.0",
  "webfinger_endpoint": "https://stsadweb.one.microsoft.com/adfs/.well-known/webfinger"
}
0.888772 JWKS: {
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "f-5GWKyaV6fDdnKB7A3b0llXZ0E",
      "kty": "RSA",
      "n": "ygUNL9XXanKy_fQ1X0SMt9LRKpH3Xup1lk5mivaw7thYRPrkGArJezV4x-hfk3Rm9qv6ikBGnTW0lI8FqotLcXmvIBqtbIDfSh59uts1r0QLRUVKS_2OL_Ia8KL56VHhG7fnjH9-rLE8Exksnb3f6y0dkF2VhU2-ED5fhpHbHZi7kCv7jt1xgsk7xrM1WpQNBP3xq15BfMu83TgUKT21HP-E7O9hEFFJ1M0BJg0uZNxNUauLhbwd05dqB-k2Nmr6XUnEQlW0nU9BJvWSs0xruyirHKbOCllEVopZ2vyc1z7_YWPcxDXFx2q52f0_mh74mafkE-Xi5Njk0dkH4OqGaQ",
      "use": "sig",
      "x5c": [
        "MIIFrjCCBJagAwIBAgIKEzgGLwABAACESDANBgkqhkiG9w0BAQUFADCBgDETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIGCgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMR8wHQYDVQQDExZNU0lUIE1hY2hpbmUgQXV0aCBDQSAyMB4XDTEzMDcwODIzMDg1OVoXDTE1MDcwODIzMDg1OVowLDEqMCgGA1UEAxMhYWRmYWJzdHMubnRkZXYuY29ycC5taWNyb3NvZnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAygUNL9XXanKy/fQ1X0SMt9LRKpH3Xup1lk5mivaw7thYRPrkGArJezV4x+hfk3Rm9qv6ikBGnTW0lI8FqotLcXmvIBqtbIDfSh59uts1r0QLRUVKS/2OL/Ia8KL56VHhG7fnjH9+rLE8Exksnb3f6y0dkF2VhU2+ED5fhpHbHZi7kCv7jt1xgsk7xrM1WpQNBP3xq15BfMu83TgUKT21HP+E7O9hEFFJ1M0BJg0uZNxNUauLhbwd05dqB+k2Nmr6XUnEQlW0nU9BJvWSs0xruyirHKbOCllEVopZ2vyc1z7/YWPcxDXFx2q52f0/mh74mafkE+Xi5Njk0dkH4OqGaQIDAQABo4ICezCCAncwHQYDVR0OBBYEFAZ6r4tyv+5oQy8EAL2meCItzDKuMAsGA1UdDwQEAwIEsDAfBgNVHSMEGDAWgBTr2xFe+Ame2NZinP1ineOESijhJzCB7gYDVR0fBIHmMIHjMIHgoIHdoIHahk9odHRwOi8vbXNjcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NU0lUJTIwTWFjaGluZSUyMEF1dGglMjBDQSUyMDIoMSkuY3Jshk1od
 HRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTVNJVCUyME1hY2hpbmUlMjBBdXRoJTIwQ0ElMjAyKDEpLmNybIY4aHR0cDovL2NvcnBwa2kvY3JsL01TSVQlMjBNYWNoaW5lJTIwQXV0aCUyMENBJTIwMigxKS5jcmwwga0GCCsGAQUFBwEBBIGgMIGdMFUGCCsGAQUFBzAChklodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9NU0lUJTIwTWFjaGluZSUyMEF1dGglMjBDQSUyMDIoMSkuY3J0MEQGCCsGAQUFBzAChjhodHRwOi8vY29ycHBraS9haWEvTVNJVCUyME1hY2hpbmUlMjBBdXRoJTIwQ0ElMjAyKDEpLmNydDA/BgkrBgEEAYI3FQcEMjAwBigrBgEEAYI3FQiDz4lNrfIChaGfDIL6yn2B4ft0gU+Dwu2FCI6p0oVjAgFkAgEKMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQBSd/ptSwm7fEcmlnxvD1/qPxdau02/A1aaLyt6Fbrf+265GW25y5xDXK/Ui2E7OiE54V5K4K6zueDMJXcT3ebTU7mkd1CCkRiF3+cHnbFugy+nMdtigHHC1HbXxK9emcEMoq42wd4egASbhl38cNlIGVJWSo/jP3mob8p+n8+zgrAwl2tV8cVGroPbgc83PnANCqAuaK4fSE77C5mIzRF0KTqOaPrruezO7MEpnaGldTpeKlfip4xCksMiU5gZvn7obWn9PU20vG54SgteLKJSHr6ytwry7ysLmNU0A5q9pSq+cw55Ogo89VMHNBoBsMsI6rVeX5R17tWgKSdHohwX"
      ],
      "x5t": "f-5GWKyaV6fDdnKB7A3b0llXZ0E"
    }
  ]
}
0.889602 ------------ AuthorizationRequest ------------
0.890495 --> URL: https://stsadweb.one.microsoft.com/adfs/oauth2/authorize/?nonce=CRHEcSyb90yF&resource=http%3A%2F%2Fwww.microsoftshouldfixthisbug.com%2F&state=0aZacxGnR9pY6rPx&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60708%2Fauthz_cb&response_type=id_token+token&client_id=OICTest3&scope=openid&request_uri=https%3A%2F%2Fop.certification.openid.net%3A60708%2Fexport%2FwblOgk8phY.jwt
0.890504 --> BODY: None
1.044231 QUERY_STRING:client-request-id=00000000-0000-0000-822b-008000000099
1.545504 <-- error=request_uri_not_supported&error_description=MSIS9635%3a+The+%27request_uri%27+parameter+is+not+supported.&state=0aZacxGnR9pY6rPx
1.546513 [ERROR] NotAllowedValue:request_uri_not_supported
________________________________________
Result
FAILED 



Responsible: Rohe


More information about the Openid-specs-ab mailing list