[Openid-specs-ab] Issue #122: OP-OAuth-2nd-Revokes is broken again (getting fail where it should be a warning) (openid/certification)

Brian Campbell issues-reply at bitbucket.org
Fri Mar 20 12:00:29 UTC 2015


New issue 122: OP-OAuth-2nd-Revokes is broken again (getting fail where it should be a warning)
https://bitbucket.org/openid/certification/issue/122/op-oauth-2nd-revokes-is-broken-again

Brian Campbell:

Recent work on OP-OAuth-2nd* clean up seems to have introduced (or reintroduced seems similar to #58) this problem.

We should get a warning here not a failure when the access token obtained from the initial code exchange is used at the user info endpoint after the second code exchange fails. 


```
#!text


Test info
Profile: {'openid-configuration': 'config', 'response_type': 'code', 'crypto': 'none+sign', 'registration': 'dynamic'}
Test description: Trying to use authorization code twice should result in revoking previous issued access tokens [Basic, Hybrid]
Test ID: OP-OAuth-2nd-Revokes
Issuer: https://gold.pinglabs.net
Test output


__RegistrationRequest:post__
[check]
	status: INFORMATION
	description: Registration Response
	info: {"client_id":"_.dS5V4iR8mrI8Hscm5SJGOI4U","client_secret":"PL1j-l8chJjx7RI8xzvy2Pz-o7vBVHVUJkBuvShd9UnCXBwMh3rV5jj6sutzO3hF52t3dO6ZIfW-xoATds-r9Q","token_endpoint_auth_method":"client_secret_basic","expires_at":0,"client_name":"NO CLIENT NAME PROVIDED","redirect_uris":["https://op.certification.openid.net:60050/authz_cb"],"grant_types":["authorization_code"]}

__AuthorizationRequest:pre__
[check-response-type]
	status: OK
	description: Checks that the asked for response type are among the supported
[check-endpoint]
	status: OK
	description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[verify-response]
	status: ERROR
	description: Checks that the last response was one of a possible set of OpenID Connect Responses
	info: Got a OpenIDSchema response

Trace output


0.000322 ------------ DiscoveryRequest ------------
0.000337 Provider info discover from 'https://gold.pinglabs.net'
0.000344 --> URL: https://gold.pinglabs.net/.well-known/openid-configuration
0.355964 ProviderConfigurationResponse: {
  "authorization_endpoint": "https://gold.pinglabs.net/as/authorization.oauth2",
  "claim_types_supported": [
    "normal"
  ],
  "claims_parameter_supported": false,
  "claims_supported": [
    "address",
    "birthdate",
    "email",
    "email_verified",
    "family_name",
    "gender",
    "given_name",
    "locale",
    "middle_name",
    "name",
    "nickname",
    "phone_number",
    "picture",
    "preferred_username",
    "profile",
    "sub",
    "website",
    "zoneinfo"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "id_token_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512"
  ],
  "issuer": "https://gold.pinglabs.net",
  "jwks_uri": "https://gold.pinglabs.net/pf/JWKS",
  "ping_end_session_endpoint": "https://gold.pinglabs.net/idp/startSLO.ping",
  "ping_revoked_sris_endpoint": "https://gold.pinglabs.net/pf-ws/rest/sessionMgmt/revokedSris",
  "registration_endpoint": "https://gold.pinglabs.net/idp/client-registration.openid",
  "request_object_signing_alg_values_supported": [
    "none"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "response_modes_supported": [
    "fragment",
    "query",
    "form_post"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token"
  ],
  "revocation_endpoint": "https://gold.pinglabs.net/as/revoke_token.oauth2",
  "scopes_supported": [
    "product",
    "phone",
    "pingone-native-application",
    "email",
    "address",
    "admin",
    "edit",
    "openid",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://gold.pinglabs.net/as/token.oauth2",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "none"
  ],
  "userinfo_endpoint": "https://gold.pinglabs.net/idp/userinfo.openid",
  "version": "3.0"
}
0.639323 JWKS: {
  "keys": [
    {
      "crv": "P-521",
      "kid": "db8bn",
      "kty": "EC",
      "use": "sig",
      "x": "ASLwmn2_-KYo83mxm98F6GovY4D44cYYoTRLeAFpqQU03vg805X3QDEwu7jokx3YSf5-zGyzoB4-TeZsz29TJUwS",
      "y": "AFu9fYtiPgCg1HrKibnXp5Gqxsg-Mm9L3t4sATbzQ1xCx0NJ-Dzp3j91vjA-CN62eoEwGLfMDB66K0tu6wYK--hm"
    },
    {
      "crv": "P-384",
      "kid": "db8bm",
      "kty": "EC",
      "use": "sig",
      "x": "1hL-CwQ5nlrYxLWkHyQ5wlD3JXXwVXdTyhBS1Bb-5Zw8mvMabBWwOXOgbTrvX2wN",
      "y": "ulduhNII1Y9ZiHQ1KaLKiY1a2nk7TPoPDGeE_uAVzZg2IQudwpOWdY4wwsmkbXJu"
    },
    {
      "crv": "P-256",
      "kid": "db8bl",
      "kty": "EC",
      "use": "sig",
      "x": "d48GrAXUpOVbDZQZt5gvo3qTKfyBpPuS5ywc6QaA_e4",
      "y": "fzQiPiafTHBgj4f1O-CjMsJl7ufDbjfJiJgKh-amuO0"
    },
    {
      "e": "AQAB",
      "kid": "db8bk",
      "kty": "RSA",
      "n": "hN3QkB3WFMlmYdJtEi7VrBz8zCsy0Z2dq8AjFjFH3hAoQnJI7U7rnuY-Mb7RsFbPxcE-abwnW4kRq5CXqw5idmaX2sU8J1sEOqNBzRMFQpd3ejdKCDTUu3CJBCk4--0z6JZOf220EqHGv8TqRqUrBv4CjacJTfHVBFzUDdPR-9baRzCMAQjOZBiMu3Mjqe877bHV0RypUqA8O318p7OuPYtd6_hqZoeL2v_Lh7yTJ5UlmXnBSMN5frrMzbruN4OYxc1NkbGbxM0r0DIBpC2loLxJYK21hM_KBdCmpIWx7UxWWXVrSvIfda2gq5rekN_M7mqhm2M2udTiR7inMNAcNw",
      "use": "sig"
    },
    {
      "crv": "P-521",
      "kid": "db8bj",
      "kty": "EC",
      "use": "sig",
      "x": "ACSR7VCMCfNW1P-WOmfkYl6hC4rTXsy5OP8S_54FVacLq7DVp8Cdoox68icQN2hVaM07mxfFrs3o6wn55GgTeyHl",
      "y": "ANdpBLJo3sbVmDK_T4Vh5vJ5d3xuQI12li9wdV-6VCoUxXyxTD-qKiM1skP26S2pTSrUvXmZjsnqq6xlFwdAeyDO"
    },
    {
      "crv": "P-384",
      "kid": "db8bi",
      "kty": "EC",
      "use": "sig",
      "x": "ho8Ucz6EttMS-fSd8yU3nvA3WSOHkfkLg2Gndo--KRP0a0wwuRjeVVc5GgN7g-43",
      "y": "63IfclToASFrhgNcnaAqe7uZ4scN5RdUp9B_2-ecm-AxHs73JyS6S9ez_4T0G6YC"
    },
    {
      "crv": "P-256",
      "kid": "db8bh",
      "kty": "EC",
      "use": "sig",
      "x": "jjSV_4p0KGoJ4JuwHEZAaFy2FSplC3R-USGZckNJyY8",
      "y": "Lt1G6pWNiu4MMXlINMSp0mwSAsSLtHhe-eBR1EQN67o"
    },
    {
      "e": "AQAB",
      "kid": "db8bg",
      "kty": "RSA",
      "n": "r6hSRwrjSebC2HFz7NRXs3loS2qrAz3E21v1Lpxabykcs_7i3nfYKoVu6ssgXarXBPHD_oRjQ-I26WPW3_5hQzyxrMMDlEShAXrZfMjLEU1Rov3XNRdLWT09cCzRMJ3ipzHYABAnylP_ifr5kGcoE60uhf6_9tixr-oBmFF2yh4jY0l0vrCkXyxNZHki4cBE-SzYzCuDlVG6WcYXETXCuzqIMfm-Ius_bUWK2Kefky9XWk-DGR2MeE8-hrsMJahaMDoTZCbl1id3eKoCLChG7n_DnE-1Z16WYLkzQffnjndGRnjcABW3yY4e9wZeeD43jQ9YR3BPA7TRD4XfqmzXZQ",
      "use": "sig"
    },
    {
      "crv": "P-521",
      "kid": "db8bf",
      "kty": "EC",
      "use": "sig",
      "x": "AYF14IO8ntW7Ub5aKgk6hdnGNn9PPUDjyqLskou_ERSkimNUiccWWTmSsbe1bRNlyNOAO_3zM8HuEPZTKE1rUD4C",
      "y": "AA9P6ZpXl9t_W-8-ptZ7IRokc1TIb-jl14FIc7AQY3tvmkXNotViQXC_rVzHhizrgtsNmYdVl2DOsGqFXzVZrHFe"
    },
    {
      "crv": "P-384",
      "kid": "db8be",
      "kty": "EC",
      "use": "sig",
      "x": "MouHmNhJBVVeLR3e9lb_tSqXTANHJLQz-ivXrg7zU_Qgi94HDAeMlI-nMbaR0h9H",
      "y": "wKtUmUdLC62SzOk06sPqUKLQqa5Jn-5iUywau7doFZCYNzCPIvWkKWKf5mO1fQz1"
    },
    {
      "crv": "P-256",
      "kid": "db8bd",
      "kty": "EC",
      "use": "sig",
      "x": "4VKlQkRC4-fhoRR2m4aBup4OGzXFUudvmPEvHse2yUQ",
      "y": "JJqrLy7z825x-piZepFjav9nqyroDmt-UYLkI8hxD6o"
    },
    {
      "e": "AQAB",
      "kid": "db8bc",
      "kty": "RSA",
      "n": "l2eYpRaSwgPlS6hgKJivQQNUAMMDq829wJ1EI0RfoTPpnlQ_PV5AWcpYioEWwH-oZrvsy7Krt0BgKTzD7-TbjmfT_rmTA1GN-L5XOJ9gmZ0QtDY6wagyFdcLAnHpbjLbtVGk2avVsBEcLXQx2CdfbMUDpG8wWBpgBa3aOFTPgjSlP_UxuSvusswxcZMyscT_CqUy0HfDRxon3BBS7-YBjYcyziy0AB8zTVCnjL5tvFiufHzr5aqBFEc3_9mxhdb4e95eepVOMboITpblg0CYHsgdA6LLHbG7Wd334az10ehlcHvAB0GN5_PDwYHuR_BJdNAK9g8uvFwZu0eqHKtM7w",
      "use": "sig"
    }
  ]
}
0.640327 ------------ RegistrationRequest ------------
0.640713 --> URL: https://gold.pinglabs.net/idp/client-registration.openid
0.640721 --> BODY: {"subject_type": "public", "jwks_uri": "https://op.certification.openid.net:60050/export/jwk_60050.json", "contacts": ["roland.hedberg at umu.se"], "application_type": "web", "grant_types": ["authorization_code"], "post_logout_redirect_uris": ["https://op.certification.openid.net:60050/logout"], "redirect_uris": ["https://op.certification.openid.net:60050/authz_cb"], "response_types": ["code"], "require_auth_time": true, "default_max_age": 3600}
0.640730 --> HEADERS: {'Content-type': 'application/json'}
0.947350 <-- STATUS: 200
0.947392 <-- BODY: {"client_id":"_.dS5V4iR8mrI8Hscm5SJGOI4U","client_secret":"PL1j-l8chJjx7RI8xzvy2Pz-o7vBVHVUJkBuvShd9UnCXBwMh3rV5jj6sutzO3hF52t3dO6ZIfW-xoATds-r9Q","token_endpoint_auth_method":"client_secret_basic","expires_at":0,"client_name":"NO CLIENT NAME PROVIDED","redirect_uris":["https://op.certification.openid.net:60050/authz_cb"],"grant_types":["authorization_code"]}

0.947949 RegistrationResponse: {
  "client_id": "_.dS5V4iR8mrI8Hscm5SJGOI4U",
  "client_name": "NO CLIENT NAME PROVIDED",
  "client_secret": "PL1j-l8chJjx7RI8xzvy2Pz-o7vBVHVUJkBuvShd9UnCXBwMh3rV5jj6sutzO3hF52t3dO6ZIfW-xoATds-r9Q",
  "expires_at": 0,
  "grant_types": [
    "authorization_code"
  ],
  "redirect_uris": [
    "https://op.certification.openid.net:60050/authz_cb"
  ],
  "token_endpoint_auth_method": "client_secret_basic"
}
0.949423 ------------ AuthorizationRequest ------------
0.949809 --> URL: https://gold.pinglabs.net/as/authorization.oauth2?scope=openid&state=F4m7C5oOe8HapLSp&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60050%2Fauthz_cb&response_type=code&client_id=_.dS5V4iR8mrI8Hscm5SJGOI4U
0.949816 --> BODY: None
53.908259 <-- state=F4m7C5oOe8HapLSp&code=y8b45gXVWOo4UhzssCm2OCMF7o8HlubsDbo5xIZeyPM
53.908563 AuthorizationResponse: {
  "code": "y8b45gXVWOo4UhzssCm2OCMF7o8HlubsDbo5xIZeyPM",
  "state": "F4m7C5oOe8HapLSp"
}
53.908913 ------------ AccessTokenRequest ------------
53.909267 --> URL: https://gold.pinglabs.net/as/token.oauth2
53.909273 --> BODY: code=y8b45gXVWOo4UhzssCm2OCMF7o8HlubsDbo5xIZeyPM&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60050%2Fauthz_cb
53.909285 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic Xy5kUzVWNGlSOG1ySThIc2NtNVNKR09JNFU6UEwxai1sOGNoSmp4N1JJOHh6dnkyUHotbzd2QlZIVlVKa0J1dlNoZDlVbkNYQndNaDNyVjVqajZzdXR6TzNoRjUydDNkTzZaSWZXLXhvQVRkcy1yOVE='}
54.249843 <-- STATUS: 200
54.249883 <-- BODY: {"token_type":"Bearer","expires_in":7200,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImRiOGJnIn0.eyJzdWIiOiJqYnJhZGxleSIsImF1ZCI6Il8uZFM1VjRpUjhtckk4SHNjbTVTSkdPSTRVIiwianRpIjoialEyNGFDcmIzaUczS2ZKd0FGck5DcCIsImlzcyI6Imh0dHBzOlwvXC9nb2xkLnBpbmdsYWJzLm5ldCIsImlhdCI6MTQyNjg1MjExMCwiZXhwIjoxNDI2ODUyNDEwLCJhdXRoX3RpbWUiOjE0MjY4NTE4MTN9.FBg_cD0cYZlFGKaC22-XlXas4-KEiS98dynrL5YmMvQSrEIgz1lJQCeehTHEhBTN4_yESzumn9IZTyAIAi9-i_6HcX-XyOiJSWL63dc-gkj6Ji9wYC67WyZJZvtf7zeKOyxAN3BRTL0vjQpXmYCRZbaY9Z7DWU013UmMALEUKqEu77sfQNVS8D2_7YPUmnQpDv_Frm7bWAHxhVQehCjQ8kha_ljbt74-_k4PQgHTNo5JdhkHhoXt6nEwgAxJ8-VWou1vEBK7l2TvB6cdD3TwVHdRmq2-YcoPLj87lwQ0J_fRPyLbTYBd4MKTWcjjRvzAhklcpMbE-D9Ubb5_oonFfw","access_token":"FfafDcYgpz6DG3KVcUuUP0GLWgWh"}

54.585431 AccessTokenResponse: {
  "access_token": "FfafDcYgpz6DG3KVcUuUP0GLWgWh",
  "expires_in": 7200,
  "id_token": {
    "claims": {
      "aud": [
        "_.dS5V4iR8mrI8Hscm5SJGOI4U"
      ],
      "auth_time": 1426851813,
      "exp": 1426852410,
      "iat": 1426852110,
      "iss": "https://gold.pinglabs.net",
      "jti": "jQ24aCrb3iG3KfJwAFrNCp",
      "sub": "jbradley"
    },
    "jws header parameters": {
      "alg": "RS256",
      "kid": "db8bg"
    }
  },
  "token_type": "Bearer"
}
54.586582 ------------ AccessTokenRequest ------------
54.586907 --> URL: https://gold.pinglabs.net/as/token.oauth2
54.586915 --> BODY: code=y8b45gXVWOo4UhzssCm2OCMF7o8HlubsDbo5xIZeyPM&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A60050%2Fauthz_cb
54.586926 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded', 'Authorization': 'Basic Xy5kUzVWNGlSOG1ySThIc2NtNVNKR09JNFU6UEwxai1sOGNoSmp4N1JJOHh6dnkyUHotbzd2QlZIVlVKa0J1dlNoZDlVbkNYQndNaDNyVjVqajZzdXR6TzNoRjUydDNkTzZaSWZXLXhvQVRkcy1yOVE='}
55.016605 <-- STATUS: 400
55.016721 ErrorResponse: {
  "error": "invalid_grant",
  "error_description": "Authorization code is invalid or expired."
}
55.017825 ------------ UserInfoRequest ------------
55.018106 --> URL: https://gold.pinglabs.net/idp/userinfo.openid
55.018112 --> BODY: None
55.018121 --> HEADERS: {'Authorization': u'Bearer FfafDcYgpz6DG3KVcUuUP0GLWgWh'}
55.323885 <-- STATUS: 200
55.323961 Available verification keys: [(u'db8bn', u'EC'), (u'db8bm', u'EC'), (u'db8bl', u'EC'), (u'db8bk', u'RSA'), (u'db8bj', u'EC'), (u'db8bi', u'EC'), (u'db8bh', u'EC'), (u'db8bg', u'RSA'), (u'db8bf', u'EC'), (u'db8be', u'EC'), (u'db8bd', u'EC'), (u'db8bc', u'RSA')]
55.323989 Available decryption keys: [('a0', 'RSA'), ('a3', 'EC')]
55.324007 <-- BODY: {"sub":"jbradley"}

55.324427 UserInfo: {
  "sub": "jbradley"
}

Result
FAILED

```





More information about the Openid-specs-ab mailing list