openid-certification / oidctest Goto Github PK
View Code? Open in Web Editor NEWThis project forked from rohe/oidctest
THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net
License: Other
This project forked from rohe/oidctest
THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net
License: Other
In one of the "extra" tests
https://op.certification.openid.net:60381/test_info/OP-UserInfo-Enc
the test suite aborts for incomprehensible reasons
12.846 fault 'NoneType' object is not subscriptable
(as a matter of fact, I know I shouldn't pass the test, because my
userinfo-endpoint is still delivering a non-encrypted
answer, but I would expect the test to be "red" and not to abort)
While it is clear that nonce is required for I, IT, CI and CIT, for CT this is debatable since no ID Token is returned from the authorization endpoint.
After a little digging it looks like the debate was already had in connect/issues/972.
We should enable this test for CT.
We need to gather contact information for both OP and RP testers so that we can communicate with them, when necessary.
Currently we still need a patch for the new OP to run:
https://github.com/openid-certification/oidctest/blob/master/docker/op_test/pyoidc.patch
we probably need to get rid of this in some way before switching over to the new OP.
Right now oidctest
depends on fedoidc
:
Installed /usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg
Processing dependencies for oidctest==0.7.0
Searching for fedoidc
Reading https://pypi.python.org/simple/fedoidc/
Couldn't find index page for 'fedoidc' (maybe misspelled?)
Scanning index of all packages (this may take a while)
Reading https://pypi.python.org/simple/
No local packages or download links found for fedoidc
error: Could not find suitable distribution for Requirement.parse('fedoidc')
So, either the oidc-certification
repository needs to fork fedoidc
too or it needs to be separated out.
As we start to version the codebase and server instance, the list of registered self-certified implementations should mention against which version of the test suite certification was done.
As Hans described in e-mail, otherwise the paths won't match and tests will fail.
Per today's call, Roland said that this code is localized to only a few lines for RP tests. He is already working on this.
Separate but similar changes are also needed in the OP testing code.
every OP test that includes sending a request object (either by reference or value) should have two extra claims in the request object it sends (or references by sending request_uri)
iss
with the value being the client idaud
being the OP's issuer identifierFrom Core 1.0
If signed, the Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value SHOULD be the Client ID of the RP, unless it was signed by a different party than the RP. The aud value SHOULD be or include the OP's Issuer Identifier URL.
Now i added these SHOULD validations to my OP and tests don't pass anymore. If the OP tool were including them both OPs with and without this validation would be passing.
See below. This is only for response_type=id_token
; response_type=id_token token
works for the tester. @rohe: can you tell what is off here? I do believe the tester should get some feedback in the log.
2017-08-09 10:33:13,625 oidctest.optt:INFO ent:82.74.246.215, vpath: ['OP-Response-form_post']
2017-08-09 10:33:13,627 oic.utils.keyio:DEBUG loading keys for issuer: https://203.94.95.140:9443/oauth2/token
2017-08-09 10:33:13,627 oic.utils.keyio:DEBUG pcr: {'issuer': 'https://203.94.95.140:9443/oauth2/token', 'scopes_supported': ['openid', 'address', 'email', 'phone', 'profile'], 'id_token_encryption_alg_values_supported': ['RS256'], 'response_types_supported': ['code'], 'authorization_endpoint': 'https://203.94.95.140:9443/oauth2/authorize', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic'], 'grant_types_supported': ['authorization_code', 'refresh_token'], 'jwks_uri': 'https://203.94.95.140:9443/oauth2/jwks', 'userinfo_endpoint': 'https://203.94.95.140:9443/oauth2/userinfo', 'acr_values_supported': ['urn:mace:incommon:iap:silver'], 'token_endpoint': 'https://203.94.95.140:9443/oauth2/token', 'subject_types_supported': ['public'], 'id_token_signing_alg_values_supported': ['RS256']}
2017-08-09 10:33:13,627 oidctest.session:INFO session_setup
2017-08-09 10:33:13,627 otest.aus.tool:INFO <=<=<=<=< OP-Response-form_post >=>=>=>=>
2017-08-09 10:33:13,627 otest.aus.tool:INFO <--<-- 0 --- Webfinger -->-->
2017-08-09 10:33:13,628 otest.aus.tool:INFO <--<-- 1 --- Discovery -->-->
2017-08-09 10:33:13,628 otest.aus.tool:INFO <--<-- 2 --- Registration -->-->
2017-08-09 10:33:13,628 otest.aus.tool:INFO <--<-- 3 --- AsyncAuthn -->-->
2017-08-09 10:33:13,629 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:10:33:13] "GET /OP-Response-form_post HTTP/1.1" 303 606 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 10:33:16,846 otest.aus.tool:INFO <--<-- 3 --- <class 'oidctest.op.oper.AsyncAuthn'>
2017-08-09 10:33:16,847 otest.aus.request:INFO Response: {'access_token': 'c57bfe2e-3612-32f1-80e5-2d28af0a0ddc', 'token_type': 'Bearer', 'expires_in': '3600', 'session_state': '389ff09d0114eef523f0d8b8a951eda0477d03e8a8bfd6fdef5afc8fc1cea39d.fE70k7HkHOqDpsw62-ycxw', 'state': 'jcyW6iK35WeZNL71', 'id_token': 'eyJ4NXQiOiJNalEwTXpNNU5qbGhOVEJtWmpsaU5EWmpNRFEyTlRRM01EUXhaVEJqWm1ZNU1ERmlNekUyTkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiT3UwSHFCZUNjOURSamh0SE8zWWtGZyIsInN1YiI6Ikhhc2luaSBEaWxhbmthIFdpdGhhcmFuYSIsImF1ZCI6WyI4Q0lNRHRpZE9VQ3hWZ3hoUW9IU1VPRXpPVjRhIl0sImF6cCI6IjhDSU1EdGlkT1VDeFZneGhRb0hTVU9Fek9WNGEiLCJhdXRoX3RpbWUiOjE1MDIyODkxOTMsImlzcyI6Imh0dHBzOlwvXC8yMDMuOTQuOTUuMTQwOjk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE1MDIyOTI3OTYsIm5vbmNlIjoiVUM3OHBGRnF6VU9aR1J2TCIsImlhdCI6MTUwMjI4OTE5Nn0.ij_CVIsKiQlCpsMDeimg9S34goKFnWPdxBAOsKEEi3ZzsqL3HKadBrDNdQUCSr2oZR11gKSdE0I24dASln2n09e_FP7HpoR6pJmfm8-RarBd5teqG-HMGqMTKNC3agX4rmBLtrWUPz-sGRsRz9kkrt8CaAMoahSwE0eASqRKD4zoKPiuDhd9zOfzUsswXqWtdMYSf7V-CuC9sUfOOoCRHHKS5jfrWGVmqLYrFZCtjxriL7rcmunNxbOZskvFmQO1uTxdMG6JIpwv6yKuA4lLYMq1YADRcTc3ho6Hd2VnDWZylThq8kFNhbCu3WPMsexU4d77rEaZJF6GGkYGK6w6fw'}
2017-08-09 10:33:16,847 oic.oauth2:DEBUG Initial response parsing => "{'access_token': '<REDACTED>', 'token_type': 'Bearer', 'expires_in': '3600', 'session_state': '389ff09d0114eef523f0d8b8a951eda0477d03e8a8bfd6fdef5afc8fc1cea39d.fE70k7HkHOqDpsw62-ycxw', 'state': 'jcyW6iK35WeZNL71', 'id_token': 'eyJ4NXQiOiJNalEwTXpNNU5qbGhOVEJtWmpsaU5EWmpNRFEyTlRRM01EUXhaVEJqWm1ZNU1ERmlNekUyTkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiT3UwSHFCZUNjOURSamh0SE8zWWtGZyIsInN1YiI6Ikhhc2luaSBEaWxhbmthIFdpdGhhcmFuYSIsImF1ZCI6WyI4Q0lNRHRpZE9VQ3hWZ3hoUW9IU1VPRXpPVjRhIl0sImF6cCI6IjhDSU1EdGlkT1VDeFZneGhRb0hTVU9Fek9WNGEiLCJhdXRoX3RpbWUiOjE1MDIyODkxOTMsImlzcyI6Imh0dHBzOlwvXC8yMDMuOTQuOTUuMTQwOjk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE1MDIyOTI3OTYsIm5vbmNlIjoiVUM3OHBGRnF6VU9aR1J2TCIsImlhdCI6MTUwMjI4OTE5Nn0.ij_CVIsKiQlCpsMDeimg9S34goKFnWPdxBAOsKEEi3ZzsqL3HKadBrDNdQUCSr2oZR11gKSdE0I24dASln2n09e_FP7HpoR6pJmfm8-RarBd5teqG-HMGqMTKNC3agX4rmBLtrWUPz-sGRsRz9kkrt8CaAMoahSwE0eASqRKD4zoKPiuDhd9zOfzUsswXqWtdMYSf7V-CuC9sUfOOoCRHHKS5jfrWGVmqLYrFZCtjxriL7rcmunNxbOZskvFmQO1uTxdMG6JIpwv6yKuA4lLYMq1YADRcTc3ho6Hd2VnDWZylThq8kFNhbCu3WPMsexU4d77rEaZJF6GGkYGK6w6fw'}"
2017-08-09 10:33:16,847 oic.oauth2:DEBUG Verify response with {'client_id': '8CIMDtidOUCxVgxhQoHSUOEzOV4a', 'iss': 'https://203.94.95.140:9443/oauth2/token', 'keyjar': <KeyJar(issuers=['', 'https://203.94.95.140:9443/oauth2/token'])>}
2017-08-09 10:33:16,848 oic.oauth2.message:DEBUG Raw JSON: {'aud': ['8CIMDtidOUCxVgxhQoHSUOEzOV4a'], 'at_hash': 'Ou0HqBeCc9DRjhtHO3YkFg', 'auth_time': 1502289193, 'exp': 1502292796, 'nonce': 'UC78pFFqzUOZGRvL', 'azp': '8CIMDtidOUCxVgxhQoHSUOEzOV4a', 'iss': 'https://203.94.95.140:9443/oauth2/token', 'iat': 1502289196, 'sub': 'Hasini Dilanka Witharana'}
2017-08-09 10:33:16,848 oic.oauth2.message:DEBUG JWS header: {'alg': 'RS256', 'kid': 'd0ec514a32b6f88c0abd12a2840699bdd3deba9d', 'x5t': 'MjQ0MzM5NjlhNTBmZjliNDZjMDQ2NTQ3MDQxZTBjZmY5MDFiMzE2NA'}
2017-08-09 10:33:16,848 root:DEBUG KeyBundle fetch keys from: https://203.94.95.140:9443/oauth2/jwks
2017-08-09 10:33:16,850 requests.packages.urllib3.connectionpool:INFO Starting new HTTPS connection (1): 203.94.95.140
2017-08-09 10:33:17,863 requests.packages.urllib3.connectionpool:DEBUG "GET /oauth2/jwks HTTP/1.1" 200 460
2017-08-09 10:33:17,864 oic.utils.keyio:DEBUG Loaded JWKS: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d","alg":"RS256","n":"ALvJXywkFdoW4s_DhgPG2iiNRNXIBP0Cynn2uDndhtinsbWgMEhEq-SAmpFV_MOrVOfiISmEECrfVN_1NGnvbV39OIOolodHUZZbK_ZjoI0mcUCtPf8oFLBR_LMi-Wg94XkVGMyVmfyjrHeewV7iNkGZ7hIzdINPuYzb57MH8A_7TNNbaLWiaSN8TftiWbGgUQnNBucgP6XVvNwGuCBN9BC-e8JCu7vGA5d1E3Jovhzu-F0JitVRKkpwPv5haNzNenEZZtj02dmdROYHeI_ubFdT-b-t7qshZ4hFNMz136KwW9OqYEgaCEUAYp7Ukg8hJsrlc1tKXNnmAuQ4X4JN9-0"}]} from https://203.94.95.140:9443/oauth2/jwks
2017-08-09 10:33:17,864 oic.utils.keyio:DEBUG Loaded JWKS: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d","alg":"RS256","n":"ALvJXywkFdoW4s_DhgPG2iiNRNXIBP0Cynn2uDndhtinsbWgMEhEq-SAmpFV_MOrVOfiISmEECrfVN_1NGnvbV39OIOolodHUZZbK_ZjoI0mcUCtPf8oFLBR_LMi-Wg94XkVGMyVmfyjrHeewV7iNkGZ7hIzdINPuYzb57MH8A_7TNNbaLWiaSN8TftiWbGgUQnNBucgP6XVvNwGuCBN9BC-e8JCu7vGA5d1E3Jovhzu-F0JitVRKkpwPv5haNzNenEZZtj02dmdROYHeI_ubFdT-b-t7qshZ4hFNMz136KwW9OqYEgaCEUAYp7Ukg8hJsrlc1tKXNnmAuQ4X4JN9-0"}]} from https://203.94.95.140:9443/oauth2/jwks
2017-08-09 10:33:17,865 oic.oauth2.message:DEBUG Key set summary for https://203.94.95.140:9443/oauth2/token: RSA:sig:d0ec514a32b6f88c0abd12a2840699bdd3deba9d
2017-08-09 10:33:17,865 oic.utils.keyio:DEBUG Issuer '8CIMDtidOUCxVgxhQoHSUOEzOV4a' not found, available key issuers: ['', 'https://203.94.95.140:9443/oauth2/token']
2017-08-09 10:33:17,865 oic.oauth2.message:DEBUG Key set summary for 8CIMDtidOUCxVgxhQoHSUOEzOV4a:
2017-08-09 10:33:17,865 oic.oauth2.message:DEBUG Found signing key.
2017-08-09 10:33:17,865 jwkest.jws:DEBUG Picking key by key type=RSA
2017-08-09 10:33:17,866 jwkest.jws:DEBUG Picking key based on alg=RS256, kid=d0ec514a32b6f88c0abd12a2840699bdd3deba9d and use=
2017-08-09 10:33:17,866 jwkest.jws:DEBUG Picked: kid:G91Zi19W7Lwa0rGu570gwP_rWfJTBUaWsghWEVEvdVs, use:sig, kty:RSA
2017-08-09 10:33:17,866 jwkest.jws:DEBUG Picked: kid:d0ec514a32b6f88c0abd12a2840699bdd3deba9d, use:sig, kty:RSA
2017-08-09 10:33:17,867 jwkest.jws:DEBUG Verified message using key with kid=d0ec514a32b6f88c0abd12a2840699bdd3deba9d
2017-08-09 10:33:17,867 otest.aus.request:INFO Parsed response: {'access_token': 'c57bfe2e-3612-32f1-80e5-2d28af0a0ddc', 'token_type': 'Bearer', 'expires_in': '3600', 'session_state': '389ff09d0114eef523f0d8b8a951eda0477d03e8a8bfd6fdef5afc8fc1cea39d.fE70k7HkHOqDpsw62-ycxw', 'state': 'jcyW6iK35WeZNL71', 'id_token': {'sub': 'Hasini Dilanka Witharana', 'aud': ['8CIMDtidOUCxVgxhQoHSUOEzOV4a'], 'auth_time': 1502289193, 'iat': 1502289196, 'iss': 'https://203.94.95.140:9443/oauth2/token', 'nonce': 'UC78pFFqzUOZGRvL', 'at_hash': 'Ou0HqBeCc9DRjhtHO3YkFg', 'exp': 1502292796, 'azp': '8CIMDtidOUCxVgxhQoHSUOEzOV4a'}}
2017-08-09 10:33:17,867 otest.aus.tool:INFO <=<=<=<=< OP-Response-form_post >=>=>=>=>
2017-08-09 10:33:17,868 otest.aus.tool:INFO <--<-- 4 --- Done -->-->
2017-08-09 10:33:17,868 otest.verify:DEBUG do_check(verify-authn-response, {})
2017-08-09 10:33:17,870 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:10:33:17] "POST /authz_cb HTTP/1.1" 303 162 "https://203.94.95.140:9443/oauth2/authorize" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 10:33:18,050 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:10:33:18] "GET /display HTTP/1.1" 200 17086 "https://203.94.95.140:9443/oauth2/authorize" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 10:35:13,729 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:10:35:13] "GET /display HTTP/1.1" 200 17086 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:16:23,199 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /display HTTP/1.1" 200 17086 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:23,422 oidctest.optt:INFO ent:91.52.58.60, vpath: ['static', 'bootstrap', 'css', 'bootstrap.min.css']
2017-08-09 11:16:23,422 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:16:23] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/css/bootstrap.min.css' to fulfill '/static/bootstrap/css/bootstrap.min.css'
2017-08-09 11:16:23,423 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /static/bootstrap/css/bootstrap.min.css HTTP/1.1" 200 121200 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:23,643 oidctest.optt:INFO ent:91.52.58.60, vpath: ['static', 'theme.css']
2017-08-09 11:16:23,644 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:16:23] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/theme.css' to fulfill '/static/theme.css'
2017-08-09 11:16:23,644 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /static/theme.css HTTP/1.1" 200 11 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:23,761 oidctest.optt:INFO ent:91.52.58.60, vpath: ['static', 'bootstrap', 'js', 'bootstrap.min.js']
2017-08-09 11:16:23,761 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:16:23] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/js/bootstrap.min.js' to fulfill '/static/bootstrap/js/bootstrap.min.js'
2017-08-09 11:16:23,762 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /static/bootstrap/js/bootstrap.min.js HTTP/1.1" 200 37045 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:23,762 oidctest.optt:INFO ent:91.52.58.60, vpath: ['static', 'logo.png']
2017-08-09 11:16:23,763 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:16:23] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/logo.png' to fulfill '/static/logo.png'
2017-08-09 11:16:23,763 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /static/logo.png HTTP/1.1" 200 8530 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:23,878 oidctest.optt:INFO ent:91.52.58.60, vpath: ['static', 'bootstrap', 'fonts', 'glyphicons-halflings-regular.woff2']
2017-08-09 11:16:23,879 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:16:23] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/fonts/glyphicons-halflings-regular.woff2' to fulfill '/static/bootstrap/fonts/glyphicons-halflings-regular.woff2'
2017-08-09 11:16:23,879 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /static/bootstrap/fonts/glyphicons-halflings-regular.woff2 HTTP/1.1" 200 18028 "https://op.certification.openid.net:60024/static/bootstrap/css/bootstrap.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:24,051 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:24] "GET /favicon.ico HTTP/1.1" 200 1406 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:26,606 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:26] "GET /test_info/OP-Response-form_post HTTP/1.1" 200 9678 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:44:23,988 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:44:23] "GET /display HTTP/1.1" 200 17086 "" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-A520F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
2017-08-09 11:44:24,559 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'bootstrap', 'css', 'bootstrap.min.css']
2017-08-09 11:44:24,560 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:44:24] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/css/bootstrap.min.css' to fulfill '/static/bootstrap/css/bootstrap.min.css'
2017-08-09 11:44:24,561 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:44:24] "GET /static/bootstrap/css/bootstrap.min.css HTTP/1.1" 200 121200 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-A520F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
2017-08-09 11:44:24,827 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'theme.css']
2017-08-09 11:44:24,827 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:44:24] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/theme.css' to fulfill '/static/theme.css'
2017-08-09 11:44:24,828 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:44:24] "GET /static/theme.css HTTP/1.1" 200 11 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-A520F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
2017-08-09 11:44:25,098 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'bootstrap', 'js', 'bootstrap.min.js']
2017-08-09 11:44:25,098 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:44:25] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/js/bootstrap.min.js' to fulfill '/static/bootstrap/js/bootstrap.min.js'
2017-08-09 11:44:25,099 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:44:25] "GET /static/bootstrap/js/bootstrap.min.js HTTP/1.1" 200 37045 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-A520F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
2017-08-09 11:44:25,104 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'logo.png']
2017-08-09 11:44:25,104 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:44:25] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/logo.png' to fulfill '/static/logo.png'
2017-08-09 11:44:25,105 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:44:25] "GET /static/logo.png HTTP/1.1" 200 8530 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-A520F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
2017-08-09 11:51:27,729 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:27] "GET /display HTTP/1.1" 200 17086 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:28,252 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'bootstrap', 'css', 'bootstrap.min.css']
2017-08-09 11:51:28,253 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:51:28] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/css/bootstrap.min.css' to fulfill '/static/bootstrap/css/bootstrap.min.css'
2017-08-09 11:51:28,253 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:28] "GET /static/bootstrap/css/bootstrap.min.css HTTP/1.1" 200 121200 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:28,258 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'theme.css']
2017-08-09 11:51:28,258 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:51:28] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/theme.css' to fulfill '/static/theme.css'
2017-08-09 11:51:28,259 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:28] "GET /static/theme.css HTTP/1.1" 200 11 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:28,519 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'bootstrap', 'js', 'bootstrap.min.js']
2017-08-09 11:51:28,520 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:51:28] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/js/bootstrap.min.js' to fulfill '/static/bootstrap/js/bootstrap.min.js'
2017-08-09 11:51:28,521 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:28] "GET /static/bootstrap/js/bootstrap.min.js HTTP/1.1" 200 37045 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:29,033 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'logo.png']
2017-08-09 11:51:29,033 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:51:29] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/logo.png' to fulfill '/static/logo.png'
2017-08-09 11:51:29,034 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:29] "GET /static/logo.png HTTP/1.1" 200 8530 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:29,082 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'bootstrap', 'fonts', 'glyphicons-halflings-regular.woff2']
2017-08-09 11:51:29,083 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:51:29] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/fonts/glyphicons-halflings-regular.woff2' to fulfill '/static/bootstrap/fonts/glyphicons-halflings-regular.woff2'
2017-08-09 11:51:29,083 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:29] "GET /static/bootstrap/fonts/glyphicons-halflings-regular.woff2 HTTP/1.1" 200 18028 "https://op.certification.openid.net:60024/static/bootstrap/css/bootstrap.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:29,701 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:29] "GET /favicon.ico HTTP/1.1" 200 1406 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:58:46,939 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:58:46] "GET /display HTTP/1.1" 200 17086 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:58:52,522 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:58:52] "GET /pedit HTTP/1.1" 200 3424 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:58:55,751 oidctest.tt.rest:INFO Read config: iss="https://203.94.95.140:9443/oauth2/token", tag="OIDC_BASIC"
2017-08-09 11:58:55,751 oidctest.tt.rest:INFO Store config: iss="https://203.94.95.140:9443/oauth2/token", tag="OIDC_BASIC", info={'provider_info': {'issuer': 'https://203.94.95.140:9443/oauth2/token', 'scopes_supported': ['openid', 'address', 'email', 'phone', 'profile'], 'id_token_encryption_alg_values_supported': ['RS256'], 'response_types_supported': ['code'], 'authorization_endpoint': 'https://203.94.95.140:9443/oauth2/authorize', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic'], 'grant_types_supported': ['authorization_code', 'refresh_token'], 'jwks_uri': 'https://203.94.95.140:9443/oauth2/jwks', 'userinfo_endpoint': 'https://203.94.95.140:9443/oauth2/userinfo', 'acr_values_supported': ['urn:mace:incommon:iap:silver'], 'token_endpoint': 'https://203.94.95.140:9443/oauth2/token', 'subject_types_supported': ['public'], 'id_token_signing_alg_values_supported': ['RS256']}, 'tool': {'profile': 'I.F.F.F', 'tag': 'OIDC_BASIC', 'issuer': 'https://203.94.95.140:9443/oauth2/token', 'insecure': True}, 'registration_response': {'client_secret': 'GmgjpPfv6t7OjVCZczZPe6Lz2JUa', 'id_token_encrypted_response_alg': 'RS256', 'id_token_signed_response_alg': 'RS256', 'redirect_uris': ['https://op.certification.openid.net:60024/authz_cb'], 'client_id': '8CIMDtidOUCxVgxhQoHSUOEzOV4a'}}
2017-08-09 11:58:55,751 oidctest.tt.rest:INFO Write configuration file: entities/https%3A%2F%2F203.94.95.140%3A9443%2Foauth2%2Ftoken/OIDC_BASIC
2017-08-09 11:58:55,764 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:58:55] "POST /profile HTTP/1.1" 201 14222 "https://op.certification.openid.net:60024/pedit" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:59:00,926 oidctest.optt:INFO ent:82.74.246.215, vpath: ['OP-Response-form_post']
2017-08-09 11:59:00,928 oic.utils.keyio:DEBUG loading keys for issuer: https://203.94.95.140:9443/oauth2/token
2017-08-09 11:59:00,928 oic.utils.keyio:DEBUG pcr: {'issuer': 'https://203.94.95.140:9443/oauth2/token', 'scopes_supported': ['openid', 'address', 'email', 'phone', 'profile'], 'id_token_encryption_alg_values_supported': ['RS256'], 'response_types_supported': ['code'], 'authorization_endpoint': 'https://203.94.95.140:9443/oauth2/authorize', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic'], 'grant_types_supported': ['authorization_code', 'refresh_token'], 'jwks_uri': 'https://203.94.95.140:9443/oauth2/jwks', 'userinfo_endpoint': 'https://203.94.95.140:9443/oauth2/userinfo', 'acr_values_supported': ['urn:mace:incommon:iap:silver'], 'token_endpoint': 'https://203.94.95.140:9443/oauth2/token', 'subject_types_supported': ['public'], 'id_token_signing_alg_values_supported': ['RS256']}
2017-08-09 11:59:00,928 oidctest.session:INFO session_setup
2017-08-09 11:59:00,929 otest.aus.tool:INFO <=<=<=<=< OP-Response-form_post >=>=>=>=>
2017-08-09 11:59:00,929 otest.aus.tool:INFO <--<-- 0 --- Webfinger -->-->
2017-08-09 11:59:00,929 otest.aus.tool:INFO <--<-- 1 --- Discovery -->-->
2017-08-09 11:59:00,929 otest.aus.tool:INFO <--<-- 2 --- Registration -->-->
2017-08-09 11:59:00,930 otest.aus.tool:INFO <--<-- 3 --- AsyncAuthn -->-->
2017-08-09 11:59:00,931 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:59:00] "GET /OP-Response-form_post HTTP/1.1" 303 594 "https://op.certification.openid.net:60024/profile" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:59:10,207 otest.aus.tool:INFO <--<-- 3 --- <class 'oidctest.op.oper.AsyncAuthn'>
2017-08-09 11:59:10,207 otest.aus.request:INFO Response: {}
2017-08-09 11:59:10,207 oic.oauth2:DEBUG Initial response parsing => "{}"
2017-08-09 11:59:10,207 oic.oauth2:ERROR Missing or faulty response
2017-08-09 11:59:10,208 otest.handling:ERROR [run_sequence] ExcList: Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/aus/request.py", line 322, in parse_response
keyjar=_conv.entity.keyjar # , algs=algs
File "/usr/local/lib/python3.5/dist-packages/oic-0.10.0.0-py3.5.egg/oic/oauth2/__init__.py", line 581, in parse_response
raise ResponseError("Missing or faulty response")
oic.oauth2.exception.ResponseError: Missing or faulty response
2017-08-09 11:59:10,208 otest.handling:ERROR [run_sequence] Exception: Missing or faulty response
2017-08-09 11:59:10,211 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:59:10] "GET /authz_cb HTTP/1.1" 200 14222 "https://203.94.95.140:9443/authenticationendpoint/oauth2_consent.do?loggedInUser=Hasini+Dilanka+Witharana&application=oidc_test&scope=openid&sessionDataKeyConsent=f9ee3db0-62e1-4be6-b9e5-09b4a5bfb932&spQueryParams=state%3DWP20Ou6H43VC7zX5%26redirect_uri%3Dhttps%253A%252F%252Fop.certification.openid.net%253A60024%252Fauthz_cb%26client_id%3D8CIMDtidOUCxVgxhQoHSUOEzOV4a%26response_type%3Did_token%26nonce%3DrUaX2l3RoHz9Zifq%26response_mode%3Dform_post%26scope%3Dopenid" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
From: Jaromir Talir [mailto:[email protected]]
Sent: Thursday, May 25, 2017 9:16 AM
To: Mike Jones [email protected]
Cc: 'Roland Hedberg' [email protected]; Hans Zandbelt [email protected]
Subject: Re: Testing https://new-op.certification.openid.net:60000/
...
When I test using the public test server for id_token token, the at_hash value in the id_token does not match the at hash calculated from the access_token.
TestData:
https://rp.certification.openid.net:8080/damienbod.id_token_token/rp-response_typeid_token+token
access_token
0ezwGz8LfaBpqjYineXUep6Aszx2GHplBoo%2BdaCzk1KLvMylFMe0SJ%2B7wgWg05GSU2CYeTJdsf%2Bo%2BhxRvJEadrrMveqyS7WvhDsqhtGFANUMl%2Fw%2Fvq4yEGmKsZx2uSvRVahFI3OtXEvRs5Jk%2B017IQ%3D%3D
id_token
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFUMzNNc2tCdjF5b0poZU5Ia0xtVTBfa25WZjliS1lVVkVMSm9ITzZ1TjgifQ.eyJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJhY3IiOiAiUEFTU1dPUkQiLCAiYXVkIjogWyJ6OUM5bFhNTTlOb3AiXSwgImF0X2hhc2giOiAiZDV1UU1GdE5LMjNRekJnREQ5UkFLQSIsICJub25jZSI6ICJOMC43MTk0ODkzNTE2OTYxMjQzMTQ5Nzg2NzkwODc3NCIsICJpc3MiOiAiaHR0cHM6Ly9ycC5jZXJ0aWZpY2F0aW9uLm9wZW5pZC5uZXQ6ODA4MC9kYW1pZW5ib2QuaWRfdG9rZW4tdG9rZW4vcnAtc2NvcGUtdXNlcmluZm8tY2xhaW1zIiwgImV4cCI6IDE0OTc5NTQzMDgsICJhdXRoX3RpbWUiOiAxNDk3ODY3OTA4LCAiaWF0IjogMTQ5Nzg2NzkwOH0.TX46J6AzZT2on7A2F2DOLc5-ERP5CiPh5TYR4sutclGJmEJggnD1J6CUJaaOT1uYtWfTn3hIehneBJsgwFNTcf7E7Hh94pt0l67IsahlnLuqSVxykKsocPpyiCgoieRlypNo9Xy0UbZKf_IHL7jW2xW7V0MMZ4p2GHAgX22yDg3aMZJ-XPV7VHopG_Afbrri47pLEvSfqhMyLZtgHEZAYaF1O66zFq1-9x06pDAb5lWlPMsTjewK5_RPSdDzXl0OPftCawGm4n_Cv8WZzmv5ZqcJH07aZkJHZkvrSA8twkkxoPsbwdwC_gi2D2eZAx8_egIFqgKYU0xUxzT9_JrF8Q
{
"alg": "RS256",
"kid": "aT33MskBv1yoJheNHkLmU0_knVf9bKYUVELJoHO6uN8"
}
"at_hash": "d5uQMFtNK23QzBgDD9RAKA",
access_token data hash : NAynNl-G8Gmg9OltA0f55A
If you download the tar file from https://rp.certification.openid.net:8080/log/mod_auth_openidc, you'll get a file of the name "of_auth_openidc.tar.gz". Note that the "m" in "mod" was truncated.
Also, we agreed not to gzip the tar files, since some machines won't have gzip on them.
As per Mike's e-mail about this:
log for OP-Req-NotUnderstood. It contains this AuthorizationRequest data:
{
"ERROR": {
"extra": "foobar"
},
"client_id": "proxy_client_id",
"nonce": "gwvPr0raez4ctW2S",
"redirect_uri": "https://new-op.certification.openid.net:60019/authz_cb",
"response_type": "code",
"scope": "openid",
"state": "ijMZqGqBZuZpYoKA"
}I donโt understand the โERRORโ: {โextraโ: โfoobarโ} part because including a not-understood request parameter isnโt an error. Itโs something thatโs legal to do. The current log format makes it look like something is wrong, when it isnโt.
I only caught this because I grep for ERR in the logs when I review submissions. This confused me so I suspect that it would confuse testers too.
From: Jaromir Talir [mailto:[email protected]]
Sent: Thursday, May 25, 2017 9:16 AM
To: Mike Jones [email protected]
Cc: 'Roland Hedberg' [email protected]; Hans Zandbelt [email protected]
Subject: Re: Testing https://new-op.certification.openid.net:60000/
...
The new-op seems to have an issue with logfile download; it also shows weird issuer names that have been prefixed with "s_
", see:
https://new-op.certification.openid.net:60016/log
Which may be the reason for not being able to find the log directory.
Trying to download a log archive results in http 500.
On my docker instance I can reproduce this and the following error shows:
127.0.0.1 - - [10/Jun/2017:02:48:12] "GET /log/s_zmartzone.eu/id_token/I.F.T.F HTTP/1.1" 200 466 "https://localhost:60003/log/s_zmartzone.eu/id_token" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
[10/Jun/2017:02:48:14] HTTP
Traceback (most recent call last):
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cprequest.py", line 670, in respond
response.body = self.handler()
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/lib/encoding.py", line 220, in __call__
self.body = self.oldhandler(*args, **kwargs)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cpdispatch.py", line 60, in __call__
return self.callable(*self.args, **self.kwargs)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/cp/log_handler.py", line 264, in index
return self.create_rp_tar_archive(op_id, tag, profile)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/cp/log_handler.py", line 300, in create_rp_tar_archive
raise cherrypy.HTTPError(400, b'No such directory')
cherrypy._cperror.HTTPError: (400, b'No such directory')
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cprequest.py", line 678, in respond
inst.set_response()
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cperror.py", line 405, in set_response
message=self._message)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cperror.py", line 411, in get_error_page
return get_error_page(*args, **kwargs)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cperror.py", line 505, in get_error_page
kwargs[k] = escape_html(kwargs[k])
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cpcompat.py", line 350, in escape_html
return escape(s, quote=escape_quote)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/html/__init__.py", line 19, in escape
s = s.replace("&", "&") # Must be done first!
TypeError: a bytes-like object is required, not 'str'
127.0.0.1 - - [10/Jun/2017:02:48:14] "GET /mktar/s_zmartzone.eu/id_token/I.F.T.F HTTP/1.1" 500 823 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
My server at
https://auth.freedom-id.de/.well-known/openid-configuration
clearly states that the only scope supported is "openid". However, the scope test cases, take OP-Scope-All for instance (https://op.certification.openid.net:60381/test_info/OP-scope-All), complain with the following warning
WARNING
Warnings:
No support for: scopes_supported=['profile', 'email', 'address',
'phone']
My server processes the request without returning an error and doesn't return the claim, which should be OK. So I believe the test result should still be "Passed" without any warnings.
using @panva's https://github.com/panva/oidc-provider-conformance-tests/tree/new-op, probably using https://github.com/panva/node-oidc-provider as the OP
As far as I know there's no obligation - and in fact it does not make sense - to return an id_token in a refresh_token flow. It seems the OP test suite expects one and fails if there isn't one returned from the token endpoint:
2017-04-21 14:51:31,345 otest.aus.tool:ERROR [RefreshToken] ExcList: Traceback (most recent call last):
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/otest-0.7.0-py3.6.egg/otest/aus/tool.py", line 86, in run_flow
resp = _oper()
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/otest-0.7.0-py3.6.egg/otest/operation.py", line 103, in __call__
res = self.run(*args, **kwargs)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/op/oper.py", line 266, in run
self.catch_exception_and_error(self._run)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/otest-0.7.0-py3.6.egg/otest/operation.py", line 151, in catch_exception_and_error
res = func(**kwargs)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/op/oper.py", line 307, in _run
if not same_issuer(self.conv.info["issuer"], atr["id_token"]["iss"]):
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oic-0.10.0.0-py3.6.egg/oic/oauth2/message.py", line 730, in __getitem__
return self._dict[item]
KeyError: 'id_token'
The culprit seems to be in:
https://github.com/openid-certification/oidctest/blob/master/src/oidctest/op/oper.py#L307
The test output:
33.528 http response
url:https://<host>/as/token.oauth2 status_code:200
33.528 response {'access_token': 'ocNeja7rkhDuPz69WhffzmKJ0Xyp', 'refresh_token': '9UhEJSleDbnMFXXHZlV1OwoXuxjaHUw2VJiB6tuJXH', 'token_type': 'Bearer', 'expires_in': 7200}
33.529 AccessTokenResponse
{
"access_token": "ocNeja7rkhDuPz69WhffzmKJ0Xyp",
"expires_in": 7200,
"refresh_token": "9UhEJSleDbnMFXXHZlV1OwoXuxjaHUw2VJiB6tuJXH",
"token_type": "Bearer"
}
33.529 exception
KeyError:'id_token'
33.529 condition RefreshToken:OP-Token-refresh: status=ERROR, message='id_token'
Not sure what's changed,
Got these across all profiles just a few minutes ago. (oh and my test instance port changed to 60011)
When I register my OP and configure it without support for dynamic client registration, in the test GUI thereโs still a section for dynamic client registration that subsequently fails to run. The GUI should not display features that have not been configured for the instance.
On a related note: I've seen that the test log seems to strip the request_uri parameter, see e.g.:
https://rp.certification.openid.net:8080/log/mod_auth_openidc-code/rp-request_uri-unsigned.txt
and search for "AuthorizationRequest", it shows:
1500661493.955 AuthorizationRequest {
"aud": "https://rp.certification.openid.net:8080/mod_auth_openidc-code/rp-request_uri-unsigned",
"client_id": "D0xcikMwZLFv",
"iss": "D0xcikMwZLFv",
"nonce": "T34ipSmHzx4_9-Igw6hUVaKXXEgnIyEfu1E2bjGtIJY",
"redirect_uri": "https://ubuntu.zmartzone.eu/protected/",
"response_type": "code",
"scope": "openid email profile",
"state": "zCUUjh09AK-hZf-d5tKjAT50HQ8"
}
but I'm sure my RP sent a request_uri
parameter during this test.
It seems that only the "unpacked" authorization request is logged.
See below. This is only for response_type=id_token; response_type=id_token token works for the tester. @rohe: can you tell what is off here? I do believe the tester should get some feedback in the log.
2017-08-09 11:59:26,835 oidctest.optt:INFO ent:82.74.246.215, vpath: ['OP-scope-All']
2017-08-09 11:59:26,837 oic.utils.keyio:DEBUG loading keys for issuer: https://203.94.95.140:9443/oauth2/token
2017-08-09 11:59:26,838 oic.utils.keyio:DEBUG pcr: {'issuer': 'https://203.94.95.140:9443/oauth2/token', 'scopes_supported': ['openid', 'address', 'email', 'phone', 'profile'], 'id_token_encryption_alg_values_supported': ['RS256'], 'response_types_supported': ['code'], 'authorization_endpoint': 'https://203.94.95.140:9443/oauth2/authorize', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic'], 'grant_types_supported': ['authorization_code', 'refresh_token'], 'jwks_uri': 'https://203.94.95.140:9443/oauth2/jwks', 'userinfo_endpoint': 'https://203.94.95.140:9443/oauth2/userinfo', 'acr_values_supported': ['urn:mace:incommon:iap:silver'], 'token_endpoint': 'https://203.94.95.140:9443/oauth2/token', 'subject_types_supported': ['public'], 'id_token_signing_alg_values_supported': ['RS256']}
2017-08-09 11:59:26,838 oidctest.session:INFO session_setup
2017-08-09 11:59:26,838 otest.aus.tool:INFO <=<=<=<=< OP-scope-All >=>=>=>=>
2017-08-09 11:59:26,838 otest.aus.tool:INFO <--<-- 0 --- Webfinger -->-->
2017-08-09 11:59:26,838 otest.aus.tool:INFO <--<-- 1 --- Discovery -->-->
2017-08-09 11:59:26,838 otest.aus.tool:INFO <--<-- 2 --- Registration -->-->
2017-08-09 11:59:26,839 otest.aus.tool:INFO <--<-- 3 --- AsyncAuthn -->-->
2017-08-09 11:59:26,840 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:59:26] "GET /OP-scope-All HTTP/1.1" 303 598 "https://op.certification.openid.net:60024/authz_cb" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:59:29,704 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:59:29] "GET /authz_cb HTTP/1.1" 200 546 "https://203.94.95.140:9443/authenticationendpoint/oauth2_consent.do?loggedInUser=Hasini+Dilanka+Witharana&application=oidc_test&scope=address+phone+openid+email+profile&sessionDataKeyConsent=c6a8a918-1384-4ae8-9e87-a2dddf491b45&spQueryParams=state%3DpjlGhUtVtJkh8qau%26redirect_uri%3Dhttps%253A%252F%252Fop.certification.openid.net%253A60024%252Fauthz_cb%26client_id%3D8CIMDtidOUCxVgxhQoHSUOEzOV4a%26response_type%3Did_token%26nonce%3Dx4elg1PUruqen3cu%26scope%3Dopenid%2Bprofile%2Bemail%2Baddress%2Bphone" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:59:29,870 otest.aus.tool:INFO <--<-- 3 --- <class 'oidctest.op.oper.AsyncAuthn'>
2017-08-09 11:59:29,870 otest.aus.request:INFO Response: id_token=eyJ4NXQiOiJNalEwTXpNNU5qbGhOVEJtWmpsaU5EWmpNRFEyTlRRM01EUXhaVEJqWm1ZNU1ERmlNekUyTkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJIYXNpbmkgRGlsYW5rYSBXaXRoYXJhbmEiLCJ6b25laW5mbyI6IjIwMTciLCJiaXJ0aGRhdGUiOiIxOTk0LTA4LTA2IiwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4xNDA6OTQ0M1wvb2F1dGgyXC90b2tlbiIsInByZWZlcnJlZF91c2VybmFtZSI6Ikhhc2luaSIsImxvY2FsZSI6ImVuIiwidXBkYXRlZF9hdCI6IjIwMTciLCJhenAiOiI4Q0lNRHRpZE9VQ3hWZ3hoUW9IU1VPRXpPVjRhIiwiYXV0aF90aW1lIjoxNTAyMjk0MzY3LCJuaWNrbmFtZSI6Imhhc2kiLCJleHAiOjE1MDIyOTc5NjksImlhdCI6MTUwMjI5NDM2OSwiZW1haWwiOiJhZG1pbkB3c28yLmNvbSIsIndlYnNpdGUiOiJPSURDIiwiZW1haWxfdmVyaWZpZWQiOiJmYWxzZSIsImFkZHJlc3MiOiJ7XCJzdHJlZXRfYWRkcmVzc1wiOlwiMTE2XC82LFRlbXBsZSBSb2FkLE1haGFyYWdhbWFcIixcImZvcm1hdHRlZFwiOlwiQ29sb21ibyxTcmkgTGFua2FcIn0iLCJwcm9maWxlIjoiaHR0cHM6XC9cL21lZGl1bS5jb21cL0BoYXNpbml3aXRoYXJhbmFcL29wZW5pZC1jb25uZWN0LTUzMjQ2NTMwODA5MCIsInBob25lX251bWJlcl92ZXJpZmllZCI6ImZhbHNlIiwibWlkZGxlX25hbWUiOiJEaWxhbmthIiwiZ2l2ZW5fbmFtZSI6Ikhhc2luaSIsIm5vbmNlIjoieDRlbGcxUFVydXFlbjNjdSIsInBpY3R1cmUiOiJodHRwczpcL1wvbWVkaXVtLmNvbVwvQGhhc2luaXdpdGhhcmFuYVwvb3BlbmlkLWNvbm5lY3QtNTMyNDY1MzA4MDkwIiwiYXVkIjpbIjhDSU1EdGlkT1VDeFZneGhRb0hTVU9Fek9WNGEiXSwibmFtZSI6Ikhhc2luaSBEaWxhbmthIFdpdGhhcmFuYSIsInBob25lX251bWJlciI6IjA3MTM4NTAxNDMiLCJmYW1pbHlfbmFtZSI6IldpdGhhcmFuYSJ9.BcSlgWi0G5DCf7US-MnloiqvrjAv90Y0fh2LuhVIya8xVBTrFu0uL-hObccILRsg-yyVHOodJwf1EHXEl9xL8oH6dYArnmAuKx8_uZW0W-yG6LBD3R8HEOEU97YJb6sdbkDJd6g6hYwZnONtvWDa-RNdPAVDPav3EXH0TaRR3Iccj2WPeR6de_tY8PaggRZlthl-h_zxVKjIKG26dsp7jSjKu2GM45FFEqbgJMXmm4kout-sX3LuddmwBZvWoNTNDM7PTvQ1nlMXu5v-riCxwI1d0Ww6kSHs3JNIP1bxGYSkIsyUYCtxJKBXN1iZzjNx58lPAWhtr7B8Isunzni_Nw&state=pjlGhUtVtJkh8qau&session_state=fd3b1c7c4531ab9dccdf128b7e9663cf51c7e0d0e2ae26c4d27f0a07505328b8.0ZH0PFNXCIOzb4B7seiw1Q
2017-08-09 11:59:29,870 oic.oauth2:DEBUG Initial response parsing => "{'state': 'pjlGhUtVtJkh8qau', 'id_token': 'eyJ4NXQiOiJNalEwTXpNNU5qbGhOVEJtWmpsaU5EWmpNRFEyTlRRM01EUXhaVEJqWm1ZNU1ERmlNekUyTkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJIYXNpbmkgRGlsYW5rYSBXaXRoYXJhbmEiLCJ6b25laW5mbyI6IjIwMTciLCJiaXJ0aGRhdGUiOiIxOTk0LTA4LTA2IiwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4xNDA6OTQ0M1wvb2F1dGgyXC90b2tlbiIsInByZWZlcnJlZF91c2VybmFtZSI6Ikhhc2luaSIsImxvY2FsZSI6ImVuIiwidXBkYXRlZF9hdCI6IjIwMTciLCJhenAiOiI4Q0lNRHRpZE9VQ3hWZ3hoUW9IU1VPRXpPVjRhIiwiYXV0aF90aW1lIjoxNTAyMjk0MzY3LCJuaWNrbmFtZSI6Imhhc2kiLCJleHAiOjE1MDIyOTc5NjksImlhdCI6MTUwMjI5NDM2OSwiZW1haWwiOiJhZG1pbkB3c28yLmNvbSIsIndlYnNpdGUiOiJPSURDIiwiZW1haWxfdmVyaWZpZWQiOiJmYWxzZSIsImFkZHJlc3MiOiJ7XCJzdHJlZXRfYWRkcmVzc1wiOlwiMTE2XC82LFRlbXBsZSBSb2FkLE1haGFyYWdhbWFcIixcImZvcm1hdHRlZFwiOlwiQ29sb21ibyxTcmkgTGFua2FcIn0iLCJwcm9maWxlIjoiaHR0cHM6XC9cL21lZGl1bS5jb21cL0BoYXNpbml3aXRoYXJhbmFcL29wZW5pZC1jb25uZWN0LTUzMjQ2NTMwODA5MCIsInBob25lX251bWJlcl92ZXJpZmllZCI6ImZhbHNlIiwibWlkZGxlX25hbWUiOiJEaWxhbmthIiwiZ2l2ZW5fbmFtZSI6Ikhhc2luaSIsIm5vbmNlIjoieDRlbGcxUFVydXFlbjNjdSIsInBpY3R1cmUiOiJodHRwczpcL1wvbWVkaXVtLmNvbVwvQGhhc2luaXdpdGhhcmFuYVwvb3BlbmlkLWNvbm5lY3QtNTMyNDY1MzA4MDkwIiwiYXVkIjpbIjhDSU1EdGlkT1VDeFZneGhRb0hTVU9Fek9WNGEiXSwibmFtZSI6Ikhhc2luaSBEaWxhbmthIFdpdGhhcmFuYSIsInBob25lX251bWJlciI6IjA3MTM4NTAxNDMiLCJmYW1pbHlfbmFtZSI6IldpdGhhcmFuYSJ9.BcSlgWi0G5DCf7US-MnloiqvrjAv90Y0fh2LuhVIya8xVBTrFu0uL-hObccILRsg-yyVHOodJwf1EHXEl9xL8oH6dYArnmAuKx8_uZW0W-yG6LBD3R8HEOEU97YJb6sdbkDJd6g6hYwZnONtvWDa-RNdPAVDPav3EXH0TaRR3Iccj2WPeR6de_tY8PaggRZlthl-h_zxVKjIKG26dsp7jSjKu2GM45FFEqbgJMXmm4kout-sX3LuddmwBZvWoNTNDM7PTvQ1nlMXu5v-riCxwI1d0Ww6kSHs3JNIP1bxGYSkIsyUYCtxJKBXN1iZzjNx58lPAWhtr7B8Isunzni_Nw', 'session_state': 'fd3b1c7c4531ab9dccdf128b7e9663cf51c7e0d0e2ae26c4d27f0a07505328b8.0ZH0PFNXCIOzb4B7seiw1Q'}"
2017-08-09 11:59:29,871 oic.oauth2:DEBUG Verify response with {'client_id': '8CIMDtidOUCxVgxhQoHSUOEzOV4a', 'iss': 'https://203.94.95.140:9443/oauth2/token', 'keyjar': <KeyJar(issuers=['', 'https://203.94.95.140:9443/oauth2/token'])>}
2017-08-09 11:59:29,871 oic.oauth2.message:DEBUG Raw JSON: {'profile': 'https://medium.com/@hasiniwitharana/openid-connect-532465308090', 'auth_time': 1502294367, 'updated_at': '2017', 'middle_name': 'Dilanka', 'nonce': 'x4elg1PUruqen3cu', 'address': '{"street_address":"116/6,Temple Road,Maharagama","formatted":"Colombo,Sri Lanka"}', 'iat': 1502294369, 'azp': '8CIMDtidOUCxVgxhQoHSUOEzOV4a', 'name': 'Hasini Dilanka Witharana', 'family_name': 'Witharana', 'birthdate': '1994-08-06', 'picture': 'https://medium.com/@hasiniwitharana/openid-connect-532465308090', 'aud': ['8CIMDtidOUCxVgxhQoHSUOEzOV4a'], 'website': 'OIDC', 'phone_number': '0713850143', 'email_verified': 'false', 'locale': 'en', 'email': '[email protected]', 'nickname': 'hasi', 'zoneinfo': '2017', 'exp': 1502297969, 'phone_number_verified': 'false', 'preferred_username': 'Hasini', 'iss': 'https://203.94.95.140:9443/oauth2/token', 'given_name': 'Hasini', 'sub': 'Hasini Dilanka Witharana'}
2017-08-09 11:59:29,871 oic.oauth2.message:DEBUG JWS header: {'alg': 'RS256', 'kid': 'd0ec514a32b6f88c0abd12a2840699bdd3deba9d', 'x5t': 'MjQ0MzM5NjlhNTBmZjliNDZjMDQ2NTQ3MDQxZTBjZmY5MDFiMzE2NA'}
2017-08-09 11:59:29,871 root:DEBUG KeyBundle fetch keys from: https://203.94.95.140:9443/oauth2/jwks
2017-08-09 11:59:29,873 requests.packages.urllib3.connectionpool:INFO Starting new HTTPS connection (1): 203.94.95.140
2017-08-09 11:59:30,876 requests.packages.urllib3.connectionpool:DEBUG "GET /oauth2/jwks HTTP/1.1" 200 460
2017-08-09 11:59:30,877 oic.utils.keyio:DEBUG Loaded JWKS: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d","alg":"RS256","n":"ALvJXywkFdoW4s_DhgPG2iiNRNXIBP0Cynn2uDndhtinsbWgMEhEq-SAmpFV_MOrVOfiISmEECrfVN_1NGnvbV39OIOolodHUZZbK_ZjoI0mcUCtPf8oFLBR_LMi-Wg94XkVGMyVmfyjrHeewV7iNkGZ7hIzdINPuYzb57MH8A_7TNNbaLWiaSN8TftiWbGgUQnNBucgP6XVvNwGuCBN9BC-e8JCu7vGA5d1E3Jovhzu-F0JitVRKkpwPv5haNzNenEZZtj02dmdROYHeI_ubFdT-b-t7qshZ4hFNMz136KwW9OqYEgaCEUAYp7Ukg8hJsrlc1tKXNnmAuQ4X4JN9-0"}]} from https://203.94.95.140:9443/oauth2/jwks
2017-08-09 11:59:30,877 oic.utils.keyio:DEBUG Loaded JWKS: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d","alg":"RS256","n":"ALvJXywkFdoW4s_DhgPG2iiNRNXIBP0Cynn2uDndhtinsbWgMEhEq-SAmpFV_MOrVOfiISmEECrfVN_1NGnvbV39OIOolodHUZZbK_ZjoI0mcUCtPf8oFLBR_LMi-Wg94XkVGMyVmfyjrHeewV7iNkGZ7hIzdINPuYzb57MH8A_7TNNbaLWiaSN8TftiWbGgUQnNBucgP6XVvNwGuCBN9BC-e8JCu7vGA5d1E3Jovhzu-F0JitVRKkpwPv5haNzNenEZZtj02dmdROYHeI_ubFdT-b-t7qshZ4hFNMz136KwW9OqYEgaCEUAYp7Ukg8hJsrlc1tKXNnmAuQ4X4JN9-0"}]} from https://203.94.95.140:9443/oauth2/jwks
2017-08-09 11:59:30,878 oic.oauth2.message:DEBUG Key set summary for https://203.94.95.140:9443/oauth2/token: RSA:sig:d0ec514a32b6f88c0abd12a2840699bdd3deba9d
2017-08-09 11:59:30,878 oic.utils.keyio:DEBUG Issuer '8CIMDtidOUCxVgxhQoHSUOEzOV4a' not found, available key issuers: ['', 'https://203.94.95.140:9443/oauth2/token']
2017-08-09 11:59:30,878 oic.oauth2.message:DEBUG Key set summary for 8CIMDtidOUCxVgxhQoHSUOEzOV4a:
2017-08-09 11:59:30,878 oic.oauth2.message:DEBUG Found signing key.
2017-08-09 11:59:30,878 jwkest.jws:DEBUG Picking key by key type=RSA
2017-08-09 11:59:30,879 jwkest.jws:DEBUG Picking key based on alg=RS256, kid=d0ec514a32b6f88c0abd12a2840699bdd3deba9d and use=
2017-08-09 11:59:30,879 jwkest.jws:DEBUG Picked: kid:G91Zi19W7Lwa0rGu570gwP_rWfJTBUaWsghWEVEvdVs, use:sig, kty:RSA
2017-08-09 11:59:30,879 jwkest.jws:DEBUG Picked: kid:d0ec514a32b6f88c0abd12a2840699bdd3deba9d, use:sig, kty:RSA
2017-08-09 11:59:30,880 jwkest.jws:DEBUG Verified message using key with kid=d0ec514a32b6f88c0abd12a2840699bdd3deba9d
2017-08-09 11:59:30,881 otest.aus.request:INFO Parsed response: {'state': 'pjlGhUtVtJkh8qau', 'id_token': {'profile': 'https://medium.com/@hasiniwitharana/openid-connect-532465308090', 'auth_time': 1502294367, 'given_name': 'Hasini', 'updated_at': '2017', 'middle_name': 'Dilanka', 'nonce': 'x4elg1PUruqen3cu', 'family_name': 'Witharana', 'iat': 1502294369, 'azp': '8CIMDtidOUCxVgxhQoHSUOEzOV4a', 'name': 'Hasini Dilanka Witharana', 'preferred_username': 'Hasini', 'email': '[email protected]', 'email_verified': 'false', 'picture': 'https://medium.com/@hasiniwitharana/openid-connect-532465308090', 'aud': ['8CIMDtidOUCxVgxhQoHSUOEzOV4a'], 'website': 'OIDC', 'phone_number': '0713850143', 'nickname': 'hasi', 'locale': 'en', 'birthdate': '1994-08-06', 'zoneinfo': '2017', 'address': {'street_address': '116/6,Temple Road,Maharagama', 'formatted': 'Colombo,Sri Lanka'}, 'phone_number_verified': 'false', 'iss': 'https://203.94.95.140:9443/oauth2/token', 'exp': 1502297969, 'sub': 'Hasini Dilanka Witharana'}, 'session_state': 'fd3b1c7c4531ab9dccdf128b7e9663cf51c7e0d0e2ae26c4d27f0a07505328b8.0ZH0PFNXCIOzb4B7seiw1Q'}
2017-08-09 11:59:30,881 otest.aus.tool:INFO <=<=<=<=< OP-scope-All >=>=>=>=>
2017-08-09 11:59:30,881 otest.aus.tool:INFO <--<-- 4 --- AccessToken -->-->
2017-08-09 11:59:30,881 otest.aus.tool:INFO <--<-- 5 --- UserInfo -->-->
2017-08-09 11:59:30,881 otest.aus.tool:INFO <--<-- 6 --- Done -->-->
2017-08-09 11:59:30,882 otest.verify:DEBUG do_check(verify-scopes, {})
2017-08-09 11:59:30,882 otest.verify:DEBUG do_check(check-http-response, {})
2017-08-09 11:59:30,883 otest.verify:ERROR [do_check] ExcList: Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/verify.py", line 70, in do_check
stat = chk(self.conv)
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/check.py", line 121, in __call__
_stat = self._func(conv)
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/aus/check.py", line 76, in _func
_response = conv.events.get_data(EV_HTTP_RESPONSE)[-1]
IndexError: list index out of range
2017-08-09 11:59:30,883 otest.verify:ERROR [do_check] Exception: list index out of range
2017-08-09 11:59:30,884 otest.handling:ERROR [authz_cb] ExcList: Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg/oidctest/optt/__init__.py", line 195, in authz_post
response=kwargs)
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/aus/tool.py", line 230, in async_response
return self.run_flow(self.sh["testid"], index=index)
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/aus/tool.py", line 112, in run_flow
_ver.test_sequence(self.conv.flow["assert"])
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/verify.py", line 96, in test_sequence
self.do_check(test)
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/verify.py", line 70, in do_check
stat = chk(self.conv)
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/check.py", line 121, in __call__
_stat = self._func(conv)
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/aus/check.py", line 76, in _func
_response = conv.events.get_data(EV_HTTP_RESPONSE)[-1]
IndexError: list index out of range
2017-08-09 11:59:30,884 otest.handling:ERROR [authz_cb] Exception: list index out of range
Currently it is not possible, or at least not documented, how to do static registration for RP testing i.e. how one can certify an RP that does not support Dynamic Client Registration. We should most probably fix that before going into production (as Dynreg is optional).
[1] is the documentation I refer to.
I have run only the basic profile. The mismatches I found in basic profile are given below.Included in the test suit but not in the documentation
OP-Response-form_post
Included in the documentation but not in the test suitOP-request_uri-Unsigned
OP-ClientAuth-Basic-Dynamic
OP-ClientAuth-SecretPost-Dynamic
OP-IDToken-none
OP-IDToken-kid
OP-IDToken-RS256[1] - http://openid.net/wordpress-content/uploads/2016/12/OpenID-Connect-Conformance-Profiles.pdf
I believe all tests are still there, they just have different names. Changing the names of the tests may result in problems for testers using automated certification, so we are going to change the names in the doc.
I'll report back here which tests have been renamed to which names asap.
There's an optional test rp-token_endpoint-client_secret_basic
for the profile id_token+token
at:
https://rp.certification.openid.net:8080/list?profile=IT
which I don't think makes sense there.
Deleting a registered instance from the OP test suite results in:
Traceback (most recent call last):
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cprequest.py", line 670, in respond
response.body = self.handler()
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/lib/encoding.py", line 220, in call
self.body = self.oldhandler(*args, **kwargs)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cpdispatch.py", line 60, in call
return self.callable(*self.args, **self.kwargs)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/tt/action.py", line 147, in index
return self.delete(iss, tag, ev)
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/tt/action.py", line 244, in delete
_key = self.app.assigned_ports(*uqp)
TypeError: 'AssignedPorts' object is not callable
The note in the test says "You should get a popup user agent login window".
From my point of view it is the RP (in this case, the test tool) who should be responsible for creating the popup and me, the OP, to honor the display parameter just to optimize for popups.
RATIONALE:
The spec says "The Authorization Server SHOULD display [...] CONSISTENT WITH a popup" and not "create a popup".
It looks like that "display" parameter appeared in the standard as a result of the input of this group. Look at this part of the charter:
"Although it is possible for Relying Parties to open a popup window for the user to authenticate at the OpenID Provider using the Provider's default user interface, the overall user experience can be optimized if the OP was aware that its UI was running within a popup. For instance, an OP may want to resize the popup browser window when using the popup interface, but would probably not want to resize the full browser window when using the default redirect interface. Another optimization is that the OP can close the popup, rather than return a negative assertion if the user chooses to cancel the authentication request."
So "consistent with" for me it means "to be aware of being running within a popup window that my caller created".
I would expect the test to be adjusted to do so.
The RP test documentation at http://openid.net/certification/rp_testing/ lists links that result in errors.
Clicking:
https://rp.certification.openid.net:8080/mod_auth_openidc/rp-response_type-code
And selecting then the "code" profile will take you to https://rp.certification.openid.net:8080/mod_auth_openidc/list?profile=C
which will result in the following error in the browser:
500 Internal Server Error
The server encountered an unexpected condition which prevented it from fulfilling the request.
Traceback (most recent call last):
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cprequest.py", line 642, in respond
self.get_resource(path_info)
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cprequest.py", line 760, in get_resource
dispatch(path)
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cpdispatch.py", line 294, in __call__
func, vpath = self.find_handler(path_info)
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cpdispatch.py", line 357, in find_handler
subnode = dispatch(vpath=iternames)
File "/usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg/oidctest/cp/op.py", line 376, in _cp_dispatch
self.flows[test_id]
File "/usr/local/lib/python3.5/dist-packages/otest-0.7.0-py3.5.egg/otest/flow.py", line 79, in __getitem__
fp = open(fname, 'r')
FileNotFoundError: [Errno 2] No such file or directory: '/home/oictest/oidf/oidc_cp_rplib/flows/list.json'
It looks like doing the same for more recent clients still works i.e. doesn't take you to a non-existing mod_auth_openidc/list?profile=C
page but to list?profile=C
.
Perhaps the code changed and this client registration is obsolete?
In the old environment, when changing the flow the suite of tests was reset. The new test environment does not, and instead maintains state on whatever tests apply to both flows. This could possibly be misleading, and cause tests to not be run to completion.
For instance, switching from id_token token
to code id_token token
gives:
with the ID Token tests which apply to both already showing green, despite not having been run for the latter.
We are not flagging it when claims are returned with the wrong JSON types. For instance, the Mvine results returned "middle_name": null - which isn't a string as required and "updated_at": "20170328081544Z" - when a number is required. These results currently are PASSED whereas they should be FAILED.
We should also be issuing WARNINGs when empty strings are returned as claim values - such as "middle_name": "".
I want to submit my certification test but the mail [email protected] does not work. How can I continue? 2.5 MB zip
I ran into an issue with the "behavior" element in the JSON test descriptions: they are strings but the operations on them assume arrays, as a lot of them look like
if "iat" in self.behavior_type: # missing iat claim
etc.
The self.behavior_type
initialization suggests it is stored as an array (https://github.com/openid-certification/oidctest/blob/master/src/oidctest/rp/provider.py#L170) or even object (https://github.com/openid-certification/oidctest/blob/master/src/oidctest/rp/provider.py#L104) but at assignment time it makes it the type of whatever the test description value is set to (https://github.com/openid-certification/oidctest/blob/master/src/oidctest/cp/op_handler.py#L136)
op.behavior_type = _tc["behavior"]
op.server.behavior_type = _tc["behavior"]
Since the current tests define behavior as a string e.g.
"behavior": "aud",
the behavior matching code will actually test for a substring in a string instead of a string in an array. That's dangerous as I named my behavior:
"behavior": "initiate_login_uri",
which unexpectedly matches iat
as well.
In summary, I believe all test descriptions should change to use an array as in:
"behavior": [ "initiate_login_uri" ],
or else all code handling it would need to change to avoid future name clashes like the one I had.
I reject this because I have 4 items with kid ids in the https://rp.certification.openid.net:8080/static/jwks_5hZ6PW0uKOqzGcMK.json
Test states:
Accepts ID Token without 'kid' claim in JOSE header if only one JWK supplied in 'jwks_uri'
Have I misunderstood something here, or is the test incorrect?
Greetings Damien
As we discussed on today's call, we need to notify those testers that we can about the change to new-op. Can you please extract the e-mail addresses we have, Roland? I realize that this won't be a complete list.
Also, can you please gather the WebFinger e-mail addresses from the RP testing info? Many won't work, but we might as well try to contact the current RP testers too. If that's the best info we have about them, let's use it, even though it will be flawed. Thanks.
Running rp-request_uri-enc
on the latest code results in an error:
[04/May/2017:06:38:12]
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cprequest.py", line 670, in respond
response.body = self.handler()
File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/lib/encoding.py", line 220, in __call__
self.body = self.oldhandler(*args, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cpdispatch.py", line 60, in __call__
return self.callable(*self.args, **self.kwargs)
File "/usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg/oidctest/cp/op.py", line 200, in index
resp = op.authorization_endpoint(kwargs)
File "/usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg/oidctest/rp/provider.py", line 418, in authorization_endpoint
**kwargs)
File "/usr/local/lib/python3.5/dist-packages/oic-0.10.0.0-py3.5.egg/oic/oic/provider.py", line 735, in authorization_endpoint
info = self.auth_init(request, request_class=AuthorizationRequest)
File "/usr/local/lib/python3.5/dist-packages/oic-0.10.0.0-py3.5.egg/oic/oauth2/provider.py", line 401, in auth_init
areq = self.filter_request(areq)
File "/usr/local/lib/python3.5/dist-packages/oic-0.10.0.0-py3.5.egg/oic/oic/provider.py", line 688, in filter_request
before = req.to_dict()
AttributeError: 'Response' object has no attribute 'to_dict'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cprequest.py", line 589, in run
self.respond(pi)
File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cprequest.py", line 690, in respond
self.handle_error()
File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cprequest.py", line 767, in handle_error
self.error_response()
File "/usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg/oidctest/cp/op.py", line 30, in handle_error
"<html><body>Sorry, an error occured</body></html>"
File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/__init__.py", line 239, in __setattr__
setattr(child, name, value)
File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cprequest.py", line 831, in __set__
raise ValueError(self.unicode_err)
ValueError: Page handlers MUST return bytes. Use tools.encode if you wish to return unicode.
When downloading the tar archive with log files, two things seem to be off:
tar ztvf s_zmartzone.eu.id_token_token.IT.F.T.F.tar.gz
-rw-r--r-- 0 root root 3154 Jun 13 10:42 usr/local/oidf/oidc_op/log/s_zmartzone.eu/id_token_token/IT.F.T.F/OP-Response-Missing
When OPs use statically provided configuration values in the UI rather than service a Discovery document from the OP, errors seem to occur e.g. with OP-Response-Missing
as below:
Test info
Profile: {'openid-configuration': 'no-config', 'response_type': 'code', 'crypto': 'none+encrypt', 'registration': 'static'}
Timestamp: 2017-05-24T11:14:14Z
Test description: Authorization request missing the response_type parameter [Basic, Implicit, Hybrid]
Test ID: OP-Response-Missing
Issuer: https://win10-vm-cf.technodat.at/oidc
________________________________________
Test output
__AuthorizationRequest:pre__
[check-response-type]
status: OK
description: Checks that the asked for response type are among the supported
[check-endpoint]
status: OK
description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[-]
status: ERROR
info: 'NoneType' object has no attribute 'status_code'
________________________________________
Trace output
2.002024 ------------ AuthorizationRequest ------------
2.003602 --> URL: https://win10-vm-cf.technodat.at/oidc/authorize?scope=openid&state=9FpbVzG9BAbcYl1j&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A61016%2Fauthz_cb&client_id=49152
2.003610 --> BODY: None
2.187588 <-- error=invalid_request&error_description=Required%20Parameter%20%22response_type%22%20not%20supplied.
2.188559 AuthorizationErrorResponse: {
"error": "invalid_request",
"error_description": "Required Parameter \"response_type\" not supplied."
}
2.188842 ==== END ====
2.192292 [ERROR] AttributeError:'NoneType' object has no attribute 'status_code'
________________________________________
Result
PARTIAL RESULT
As discussed on today's call, we need to copy the testing profiles created on old-op to new-op before we switch the domain names to make new-op the default. Can you do that, Roland? Thanks.
The test requires the profile configuration parameter "login_hint". It then creates the string
$login_hint + "@" + $issuer
and sends that as the value of the auth request parameter login_hint.
First, that's a bit confusing, but second -and more important- it's too rigid: for instance my Auth-Endpoint does not expect that @$issuer notation and thus doesn't recognize the user.
My enhancement request is to pass the profile configuration parameter "as is" in the auth request login_hint. That allows for all possible options.
When running said test case with client auto registration enabled, the test tool registers a client but apparently does NOT provide a request_uri in the client profile. My server thus does not enforce the request_uri in the auth request.
In any case: Whatever the reason for the server not enforcing the request_uri parameter, I am passing the test by simply ignoring the request_uri parameter in the auth request. The implementation is thus not effective.
What about not providing all parameters in the auth request and expecting the auth endpoint to dig them from request_uri (and verify for it)?
When trying to run the docker-compose up command referred to in the readme, none of the containers were starting.
After a little digging, I noticed that the issue was due to the fact that git for windows changes the line endings on all of the *.sh and *.py files to the windows standard CRLF instead of the expected LF only. I was able to get around the issue by adding a .gitattributes file to the root directory with the following contents:
* text=auto
*.sh text eol=lf
*.py text eol=lf
I do not see any contribution guidelines anywhere, so was unsure how to submit a pull request with the new file to resolve this issue for others in a similar situation.
OP-prompt-login
checks to see if two consecutive authentication flows result in two different id_token
's by checking the auth_time
claim between them here:
https://github.com/openid-certification/oidctest/blob/master/src/oidctest/op/check.py#L1073
However, auth_time
is not a required claim. It is only required when max_age
is requested or auth_time
was a requested claim but adding those would make the test test something different.
Checking iat
, jti
, the signature, or other indicators that the tokens are different would be better, optionally depending on auth_time
when it happens to be provided. Not failing when auth_time
is not provided would at least be the right behavior.
Also, providing better logging when the test fails would be nice: right now it doesn't say what it was actually searching for if it fails to find a different auth_time
claim.
From our point of view it is impossible to pass the test if the client registration parameters are honored:
At client registration time the client declares itself to restrict itself to
"grant_types": [
"authorization_code"
]
but later on, it attempts a grant_type "refresh_token". No wonder we don't pass the test
status_code:400 message:{"error_description":"The client is not authorized to use this grant type","error":"unauthorized_client"}
When I test with the public test server and request the userdata, using the access_token from the authorise of the id_token token, a 400 is returned. Invalid Bearer token
Sometimes the RP test suite is stalled and only returns HTTP 500 on Discovery document requests, e.g.:
Message: '86.110.65.8 - - [09/May/2017:08:21:45] "GET /mod_auth_openidc/rp-nonce-unless-code-flow/.well-known/openid-configuration HTTP/1.1" 500 1967 "" "mod_auth_openidc"'
Arguments: ()
--- Logging error ---
Traceback (most recent call last):
File "/usr/lib/python3.5/logging/__init__.py", line 983, in emit
stream.write(self.terminator)
OSError: [Errno 5] Input/output error
Call stack:
File "/usr/lib/python3.5/threading.py", line 882, in _bootstrap
self._bootstrap_inner()
File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
self.run()
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/wsgiserver/__init__.py", line 1594, in run
conn.communicate()
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/wsgiserver/__init__.py", line 1408, in communicate
req.respond()
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/wsgiserver/__init__.py", line 862, in respond
self.server.gateway(self).respond()
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/wsgiserver/__init__.py", line 2335, in respond
response = self.req.server.wsgi_app(self.env, self.start_response)
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cptree.py", line 287, in __call__
return app(environ, start_response)
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cptree.py", line 153, in __call__
return self.wsgiapp(environ, start_response)
File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cpwsgi.py", line 450, in __call__
return head(environ, start_response)
This requires a restart to make things operational again.
When running the authorization code reuse tests (both the immediate and thirty-second delay tests) a PARTIAL RESULT
message (with associated question mark on status bubble) is shown, despite a conformant 403 Access Denied response with error invalid_grant
, as is consistent with the OAuth 2.0 specification. [RFC 6749]
invalid_grant
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
another client.
These tests return green in the old testing environment, as I would expect.
Old:
New:
On the current OP site we instruct people to go to https://op.certification.openid.net:60000/. We should enable https://new-op.certification.openid.net:60000/ now so that when we switch the domain names, the current (https) configuration URL will keep working.
There seems to be a problem with the port assignment of new registrations:
Now about the tool: I think we are having some (concurrency?) issues in
the new version! I just registered a new test instance. This was the
success message:Your test instance "https://auth.freedom-id.de:basic-autoreg" has been
start as https://op.certification.openid.net:60001However, that port is bringing me to the test instance of another issuer
which is not mine (idam.metrosystems.net). Could you please double check
what is going on?
I guess it is always going to take 60001 for new registrations?
(PS: I've manually fixed this for the tester using port 61011)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.