[Openid-specs-ab] Issue #109: OP-OAuth-2nd-Revokes (Trying to use access code twice should result in revoking previous issued tokens) Test does not check for access token revocation. (openid/certification)

Edmund Jay issues-reply at bitbucket.org
Wed Mar 18 23:15:17 UTC 2015


New issue 109: OP-OAuth-2nd-Revokes (Trying to use access code twice should result in revoking previous issued tokens) Test does not check for access token revocation.
https://bitbucket.org/openid/certification/issue/109/op-oauth-2nd-revokes-trying-to-use-access

Edmund Jay:

This test does not check whether the access token is revoked after 2nd attempt to retrieve access token.

It should use the access token at the userinfo endpoint before and after the 2nd attempt to retrieve an access token.


```
#!text

Test info

Profile: {'openid-configuration': 'config', 'extras': True, 'response_type': 'code', 'crypto': 'encrypt+sign', 'registration': 'dynamic'}
Test description: Trying to use access code twice should result in revoking previous issued tokens [Basic, Hybrid]
Test ID: OP-OAuth-2nd-Revokes
Issuer: https://connect.openid4.us
Test output


__RegistrationRequest:post__
[check]
	status: INFORMATION
	description: Registration Response
	info: {"client_id":"vr-SHLd1gWS8g51n5EdfPw","client_secret":"vt4UR1QmIZgxRQ","registration_access_token":"CFFyaVbgJluKog","registration_client_uri":"https:\/\/connect.openid4.us\/abop\/op.php\/client\/7lXTdioiYiVJXN0GBEqQnQ","client_id_issued_at":1426720003,"client_secret_expires_at":0,"contacts":["roland.hedberg at umu.se"],"application_type":"web","redirect_uris":["https:\/\/op.certification.openid.net:60103\/authz_cb","https:\/\/op.certification.openid.net:60103\/cb"],"post_logout_redirect_uris":["https:\/\/op.certification.openid.net:60103\/logout"],"jwks_uri":"https:\/\/op.certification.openid.net:60103\/export\/jwk_60103.json","subject_type":"pairwise","default_max_age":3600,"require_auth_time":true,"response_types":["code"],"grant_types":["authorization_code"]}
__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[verify-error-response]
	status: OK
	description: Checks that the last response was a JSON encoded error message
Trace output


0.000289 ------------ DiscoveryRequest ------------
0.000300 Provider info discover from 'https://connect.openid4.us'
0.000305 --> URL: https://connect.openid4.us/.well-known/openid-configuration
0.402693 ProviderConfigurationResponse: {
  "authorization_endpoint": "https://connect.openid4.us/abop/op.php/auth",
  "check_session_iframe": "https://connect.openid4.us/abop/opframe.php/1",
  "claim_types_supported": [
    "normal"
  ],
  "claims_locales_supported": [
    "en-US"
  ],
  "claims_parameter_supported": true,
  "claims_supported": [
    "name",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "preferred_username",
    "profile",
    "picture",
    "website",
    "email",
    "email_verified",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "phone_number_verified",
    "address",
    "updated_at"
  ],
  "display_values_supported": [
    "page"
  ],
  "end_session_endpoint": "https://connect.openid4.us/abop/op.php/endsession",
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP"
  ],
  "id_token_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512",
    "A128GCM",
    "A256GCM"
  ],
  "id_token_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "issuer": "https://connect.openid4.us",
  "jwks_uri": "https://connect.openid4.us/connect4us.jwk",
  "op_policy_uri": "https://connect.openid4.us/abop/op.php/op_policy",
  "op_tos_uri": "https://connect.openid4.us/abop/op.php/op_tos",
  "registration_endpoint": "https://connect.openid4.us/abop/op.php/registration",
  "request_object_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP"
  ],
  "request_object_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512",
    "A128GCM",
    "A256GCM"
  ],
  "request_object_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": false,
  "response_types_supported": [
    "code",
    "code token",
    "code id_token",
    "token",
    "token id_token",
    "code token id_token",
    "id_token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "address",
    "phone",
    "offline_access"
  ],
  "service_documentation": "https://connect.openid4.us/abop/op.php/servicedocs",
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "token_endpoint": "https://connect.openid4.us/abop/op.php/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "ui_locales_supported": [
    "en-US"
  ],
  "userinfo_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP"
  ],
  "userinfo_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512",
    "A128GCM",
    "A256GCM"
  ],
  "userinfo_endpoint": "https://connect.openid4.us/abop/op.php/userinfo",
  "userinfo_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512"
  ],
  "version": "3.0"
}
0.730692 JWKS: {
  "keys": [
    {
      "e": "AQAB",
      "kid": "ABOP-00",
      "kty": "RSA",
      "n": "tf_sB4M0sHearRLzz1q1JRgRdRnwk0lz-IcVDFlpp2dtDVyA-ZM8Tu1swp7upaTNykf7cp3Ne_6uW3JiKvRMDdNdvHWCzDHmbmZWGdnFF9Ve-D1cUxj4ETVpUM7AIXWbGs34fUNYl3Xzc4baSyvYbc3h6iz8AIdb_1bQLxJsHBi-ydg3NMJItgQJqBiwCmQYCOnJlekR-Ga2a5XlIx46Wsj3Pz0t0dzM8gVSU9fU3QrKKzDFCoFHTgig1YZNNW5W2H6QwANL5h-nbgre5sWmDmdnfiU6Pj5GOQDmp__rweinph8OAFNF6jVqrRZ3QJEmMnO42naWOsxV2FAUXafksQ"
    }
  ]
}
0.731601 ------------ RegistrationRequest ------------
0.733058 --> URL: https://connect.openid4.us/abop/op.php/registration
0.733083 --> BODY: {"subject_type": "pairwise", "jwks_uri": "https://op.certification.openid.net:60103/export/jwk_60103.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["authorization_code"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60103/logout"], "redirect_uris": ["https://op.certification.openid.net:60103/authz_cb", "https://op.certification.openid.net:60103/cb"], "response_types": ["code"], "require_auth_time": true, "default_max_age": 3600}
0.733094 --> HEADERS: {'Content-type': 'application/json'}
1.198194 <-- STATUS: 200
1.198305 <-- BODY: {"client_id":"vr-SHLd1gWS8g51n5EdfPw","client_secret":"vt4UR1QmIZgxRQ","registration_access_token":"CFFyaVbgJluKog","registration_client_uri":"https:\/\/connect.openid4.us\/abop\/op.php\/client\/7lXTdioiYiVJXN0GBEqQnQ","client_id_issued_at":1426720003,"client_secret_expires_at":0,"contacts":["roland.hedberg at umu.se"],"application_type":"web","redirect_uris":["https:\/\/op.certification.openid.net:60103\/authz_cb","https:\/\/op.certification.openid.net:60103\/cb"],"post_logout_redirect_uris":["https:\/\/op.certification.openid.net:60103\/logout"],"jwks_uri":"https:\/\/op.certification.openid.net:60103\/export\/jwk_60103.json","subject_type":"pairwise","default_max_age":3600,"require_auth_time":true,"response_types":["code"],"grant_types":["authorization_code"]}
1.199013 RegistrationResponse: {
  "application_type": "web",
  "client_id": "vr-SHLd1gWS8g51n5EdfPw",
  "client_id_issued_at": 1426720003,
  "client_secret": "vt4UR1QmIZgxRQ",
  "client_secret_expires_at": 0,
  "contacts": [
    "roland.hedberg at umu.se"
  ],
  "default_max_age": 3600,
  "grant_types": [
    "authorization_code"
  ],
  "jwks_uri": "https://op.certification.openid.net:60103/export/jwk_60103.json",
  "post_logout_redirect_uris": [
    "https://op.certification.openid.net:60103/logout"
  ],
  "redirect_uris": [
    "https://op.certification.openid.net:60103/authz_cb",
    "https://op.certification.openid.net:60103/cb"
  ],
  "registration_access_token": "CFFyaVbgJluKog",
  "registration_client_uri": "https://connect.openid4.us/abop/op.php/client/7lXTdioiYiVJXN0GBEqQnQ",
  "require_auth_time": true,
  "response_types": [
    "code"
  ],
  "subject_type": "pairwise"
}
1.200513 ------------ AuthorizationRequest ------------
1.200890 --> URL: https://connect.openid4.us/abop/op.php/auth?scope=openid&state=nJ6iBx03ubWmkFfc&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60103%2Fauthz_cb&response_type=code&client_id=vr-SHLd1gWS8g51n5EdfPw
1.200897 --> BODY: None
3.371379 <-- state=nJ6iBx03ubWmkFfc&session_state=dc8b0bd052c62dd5b5dae89d1097cad0ca3e9e3a23e90c07586a44d176d847f3.e79c35f04bf9bc580c251dbf06237ad9&code=6tF1ar909NOsMCrcesXJ30FTYS6zWKE1vMzNPyjSEwE
3.371681 AuthorizationResponse: {
  "code": "6tF1ar909NOsMCrcesXJ30FTYS6zWKE1vMzNPyjSEwE",
  "session_state": "dc8b0bd052c62dd5b5dae89d1097cad0ca3e9e3a23e90c07586a44d176d847f3.e79c35f04bf9bc580c251dbf06237ad9",
  "state": "nJ6iBx03ubWmkFfc"
}
3.371998 ------------ AccessTokenRequest ------------
3.372306 --> URL: https://connect.openid4.us/abop/op.php/token
3.372312 --> BODY: code=6tF1ar909NOsMCrcesXJ30FTYS6zWKE1vMzNPyjSEwE&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60103%2Fauthz_cb
3.372322 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic dnItU0hMZDFnV1M4ZzUxbjVFZGZQdzp2dDRVUjFRbUlaZ3hSUQ=='}
3.824775 <-- STATUS: 200
3.824897 <-- BODY: {"access_token":"RkCTqQFMkv1cx7zuW9SKu_yF-Gk0iCIY0bq-23c00Gs","token_type":"Bearer","expires_in":3600,"id_token":"eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOlwvXC9jb25uZWN0Lm9wZW5pZDQudXNcL2Nvbm5lY3Q0dXMuandrIiwia2lkIjoiQUJPUC0wMCJ9.eyJpc3MiOiJodHRwczpcL1wvY29ubmVjdC5vcGVuaWQ0LnVzIiwic3ViIjoiZWFlN2Y2N2UyNzAzNDdlZTdhMDc5MjNlMzc2OTE3MmU1MWRiM2QxOWNjY2MxY2M4ZjFjN2FiMDg4NDRmMTdhOCIsImF1ZCI6WyJ2ci1TSExkMWdXUzhnNTFuNUVkZlB3Il0sImV4cCI6MTQyNjcyMDMwNiwiaWF0IjoxNDI2NzIwMDA2LCJhdXRoX3RpbWUiOjE0MjY3MTk1MzV9.MQKyu4VViopzNnVGQ-tbay2h9XQrXcI6OqR-hGie6eFr7_OzjdcoPqY-sBZCKl1m7z93Lm6CC8MfHoLHIQ5jvIMda5RcPFV_-2PTiMMeWICxRHPJtTyUAe1Ep1-Nfv4NjqoVzX1FCJeh_v0mudi05xu8u4YfFzlhzzuGg5vRw_UozIizE1qlCfQYqvJ3c17WbwWtaf0bJcww0vYzbFtLFuy7rRy-IKxwfKb74ocnnRzCHwP8610G_qPt1BMbXkOynLnZXfxarR_m4IMRDO_Z_LeJR9hQw40DsSkBF0acRglugQG_xolwTILDHwdgtSPs1cv5HvtelfHKKXKjkzfgLA"}
4.202532 AccessTokenResponse: {
  "access_token": "RkCTqQFMkv1cx7zuW9SKu_yF-Gk0iCIY0bq-23c00Gs",
  "expires_in": 3600,
  "id_token": {
    "claims": {
      "aud": [
        "vr-SHLd1gWS8g51n5EdfPw"
      ],
      "auth_time": 1426719535,
      "exp": 1426720306,
      "iat": 1426720006,
      "iss": "https://connect.openid4.us",
      "sub": "eae7f67e270347ee7a07923e3769172e51db3d19cccc1cc8f1c7ab08844f17a8"
    },
    "jws header parameters": {
      "alg": "RS256",
      "jku": "https://connect.openid4.us/connect4us.jwk",
      "kid": "ABOP-00"
    }
  },
  "token_type": "Bearer"
}
4.203706 ------------ AccessTokenRequest ------------
4.204049 --> URL: https://connect.openid4.us/abop/op.php/token
4.204055 --> BODY: code=6tF1ar909NOsMCrcesXJ30FTYS6zWKE1vMzNPyjSEwE&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60103%2Fauthz_cb
4.204065 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic dnItU0hMZDFnV1M4ZzUxbjVFZGZQdzp2dDRVUjFRbUlaZ3hSUQ=='}
4.607333 <-- STATUS: 400
Result

PASSED
```




More information about the Openid-specs-ab mailing list