openid-certification / oidctest Goto Github PK

View Code? Open in Web Editor NEW

This project forked from rohe/oidctest

49.0 49.0 15.0 6.01 MB

THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net

License: Other

Python 50.52% Shell 0.40% HTML 48.60% CSS 0.01% Dockerfile 0.40% Makefile 0.09%

oidctest's People

Contributors

Stargazers

Watchers

Forkers

deanraspa travisspencer auth0 vladdou mmoayyed arielzhang spomky sozkan bitman694 jogu keithuber qpanvisz u20024804 apooo91 nrnrk

oidctest's Issues

rp-request_uri-* does not log the request_uri parameter itself

On a related note: I've seen that the test log seems to strip the request_uri parameter, see e.g.:
https://rp.certification.openid.net:8080/log/mod_auth_openidc-code/rp-request_uri-unsigned.txt
and search for "AuthorizationRequest", it shows:

1500661493.955 AuthorizationRequest {
    "aud": "https://rp.certification.openid.net:8080/mod_auth_openidc-code/rp-request_uri-unsigned",
    "client_id": "D0xcikMwZLFv",
    "iss": "D0xcikMwZLFv",
    "nonce": "T34ipSmHzx4_9-Igw6hUVaKXXEgnIyEfu1E2bjGtIJY",
    "redirect_uri": "https://ubuntu.zmartzone.eu/protected/",
    "response_type": "code",
    "scope": "openid email profile",
    "state": "zCUUjh09AK-hZf-d5tKjAT50HQ8"
}

but I'm sure my RP sent a request_uri parameter during this test.

It seems that only the "unpacked" authorization request is logged.

conformance profiles document out of sync with test suite

[1] is the documentation I refer to.
I have run only the basic profile. The mismatches I found in basic profile are given below.

Included in the test suit but not in the documentation

OP-Response-form_post
Included in the documentation but not in the test suit

OP-request_uri-Unsigned
OP-ClientAuth-Basic-Dynamic
OP-ClientAuth-SecretPost-Dynamic
OP-IDToken-none
OP-IDToken-kid
OP-IDToken-RS256

[1] - http://openid.net/wordpress-content/uploads/2016/12/OpenID-Connect-Conformance-Profiles.pdf

I believe all tests are still there, they just have different names. Changing the names of the tests may result in problems for testers using automated certification, so we are going to change the names in the doc.

I'll report back here which tests have been renamed to which names asap.

Gather contact information for testers

We need to gather contact information for both OP and RP testers so that we can communicate with them, when necessary.

.tar files have truncated names and are gzipped

If you download the tar file from https://rp.certification.openid.net:8080/log/mod_auth_openidc, you'll get a file of the name "of_auth_openidc.tar.gz". Note that the "m" in "mod" was truncated.

Also, we agreed not to gzip the tar files, since some machines won't have gzip on them.

https://new-op.certification.openid.net:60000/ not enabled

On the current OP site we instruct people to go to https://op.certification.openid.net:60000/. We should enable https://new-op.certification.openid.net:60000/ now so that when we switch the domain names, the current (https) configuration URL will keep working.

OP-prompt-login shouldn't depend on "auth_time"

OP-prompt-login checks to see if two consecutive authentication flows result in two different id_token's by checking the auth_time claim between them here:
https://github.com/openid-certification/oidctest/blob/master/src/oidctest/op/check.py#L1073

However, auth_time is not a required claim. It is only required when max_age is requested or auth_time was a requested claim but adding those would make the test test something different.

Checking iat, jti, the signature, or other indicators that the tokens are different would be better, optionally depending on auth_time when it happens to be provided. Not failing when auth_time is not provided would at least be the right behavior.

Also, providing better logging when the test fails would be nice: right now it doesn't say what it was actually searching for if it fails to find a different auth_time claim.

rp-request_uri-enc: Improve error logging when resolving the Request URI fails

Running rp-request_uri-enc on the latest code results in an error:

[04/May/2017:06:38:12]  
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/lib/encoding.py", line 220, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cpdispatch.py", line 60, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg/oidctest/cp/op.py", line 200, in index
    resp = op.authorization_endpoint(kwargs)
  File "/usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg/oidctest/rp/provider.py", line 418, in authorization_endpoint
    **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/oic-0.10.0.0-py3.5.egg/oic/oic/provider.py", line 735, in authorization_endpoint
    info = self.auth_init(request, request_class=AuthorizationRequest)
  File "/usr/local/lib/python3.5/dist-packages/oic-0.10.0.0-py3.5.egg/oic/oauth2/provider.py", line 401, in auth_init
    areq = self.filter_request(areq)
  File "/usr/local/lib/python3.5/dist-packages/oic-0.10.0.0-py3.5.egg/oic/oic/provider.py", line 688, in filter_request
    before = req.to_dict()
AttributeError: 'Response' object has no attribute 'to_dict'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cprequest.py", line 589, in run
    self.respond(pi)
  File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cprequest.py", line 690, in respond
    self.handle_error()
  File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cprequest.py", line 767, in handle_error
    self.error_response()
  File "/usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg/oidctest/cp/op.py", line 30, in handle_error
    "<html><body>Sorry, an error occured</body></html>"
  File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/__init__.py", line 239, in __setattr__
    setattr(child, name, value)
  File "/usr/local/lib/python3.5/dist-packages/CherryPy-8.9.1-py3.5.egg/cherrypy/_cprequest.py", line 831, in __set__
    raise ValueError(self.unicode_err)
ValueError: Page handlers MUST return bytes. Use tools.encode if you wish to return unicode.

Bug in test OP-Rotation-RP-Sig

From our point of view it is impossible to pass the test if the client registration parameters are honored:

At client registration time the client declares itself to restrict itself to

"grant_types": [
    "authorization_code"
]

but later on, it attempts a grant_type "refresh_token". No wonder we don't pass the test

status_code:400 message:{"error_description":"The client is not authorized to use this grant type","error":"unauthorized_client"}

ERROR in logs for OP-Req-NotUnderstood

As per Mike's e-mail about this:

log for OP-Req-NotUnderstood. It contains this AuthorizationRequest data:
{
"ERROR": {
"extra": "foobar"
},
"client_id": "proxy_client_id",
"nonce": "gwvPr0raez4ctW2S",
"redirect_uri": "https://new-op.certification.openid.net:60019/authz_cb",
"response_type": "code",
"scope": "openid",
"state": "ijMZqGqBZuZpYoKA"
}

I don’t understand the “ERROR”: {“extra”: “foobar”} part because including a not-understood request parameter isn’t an error. It’s something that’s legal to do. The current log format makes it look like something is wrong, when it isn’t.

I only caught this because I grep for ERR in the logs when I review submissions. This confused me so I suspect that it would confuse testers too.

OP-Token-refresh expects an id_token

As far as I know there's no obligation - and in fact it does not make sense - to return an id_token in a refresh_token flow. It seems the OP test suite expects one and fails if there isn't one returned from the token endpoint:

2017-04-21 14:51:31,345 otest.aus.tool:ERROR [RefreshToken] ExcList: Traceback (most recent call last):
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/otest-0.7.0-py3.6.egg/otest/aus/tool.py", line 86, in run_flow
    resp = _oper()
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/otest-0.7.0-py3.6.egg/otest/operation.py", line 103, in __call__
    res = self.run(*args, **kwargs)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/op/oper.py", line 266, in run
    self.catch_exception_and_error(self._run)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/otest-0.7.0-py3.6.egg/otest/operation.py", line 151, in catch_exception_and_error
    res = func(**kwargs)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/op/oper.py", line 307, in _run
    if not same_issuer(self.conv.info["issuer"], atr["id_token"]["iss"]):
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oic-0.10.0.0-py3.6.egg/oic/oauth2/message.py", line 730, in __getitem__
    return self._dict[item]
KeyError: 'id_token'

The culprit seems to be in:
https://github.com/openid-certification/oidctest/blob/master/src/oidctest/op/oper.py#L307

The test output:

33.528	http response	
url:https://<host>/as/token.oauth2 status_code:200
33.528	response	{'access_token': 'ocNeja7rkhDuPz69WhffzmKJ0Xyp', 'refresh_token': '9UhEJSleDbnMFXXHZlV1OwoXuxjaHUw2VJiB6tuJXH', 'token_type': 'Bearer', 'expires_in': 7200}
33.529	AccessTokenResponse	
{
    "access_token": "ocNeja7rkhDuPz69WhffzmKJ0Xyp",
    "expires_in": 7200,
    "refresh_token": "9UhEJSleDbnMFXXHZlV1OwoXuxjaHUw2VJiB6tuJXH",
    "token_type": "Bearer"
}
33.529	exception	
KeyError:'id_token'
33.529	condition	RefreshToken:OP-Token-refresh: status=ERROR, message='id_token'

Warnings in OP-scope-* tests for not supported scopes

My server at
https://auth.freedom-id.de/.well-known/openid-configuration

clearly states that the only scope supported is "openid". However, the scope test cases, take OP-Scope-All for instance (https://op.certification.openid.net:60381/test_info/OP-scope-All), complain with the following warning

WARNING
Warnings:
No support for: scopes_supported=['profile', 'email', 'address',
'phone']

My server processes the request without returning an error and doesn't return the claim, which should be OK. So I believe the test result should still be "Passed" without any warnings.

missing iss and aud claims in signed Request Objects

every OP test that includes sending a request object (either by reference or value) should have two extra claims in the request object it sends (or references by sending request_uri)

iss with the value being the client id
and aud being the OP's issuer identifier

From Core 1.0

If signed, the Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value SHOULD be the Client ID of the RP, unless it was signed by a different party than the RP. The aud value SHOULD be or include the OP's Issuer Identifier URL.

Now i added these SHOULD validations to my OP and tests don't pass anymore. If the OP tool were including them both OPs with and without this validation would be passing.

add a version number to the list of certified implementations

As we start to version the codebase and server instance, the list of registered self-certified implementations should mention against which version of the test suite certification was done.

docker-compose up not working on windows machine

When trying to run the docker-compose up command referred to in the readme, none of the containers were starting.
After a little digging, I noticed that the issue was due to the fact that git for windows changes the line endings on all of the *.sh and *.py files to the windows standard CRLF instead of the expected LF only. I was able to get around the issue by adding a .gitattributes file to the root directory with the following contents:

*           text=auto
*.sh        text eol=lf
*.py        text eol=lf

I do not see any contribution guidelines anywhere, so was unsure how to submit a pull request with the new file to resolve this issue for others in a similar situation.

Responsibilities in test OP-display-popup

The note in the test says "You should get a popup user agent login window".

From my point of view it is the RP (in this case, the test tool) who should be responsible for creating the popup and me, the OP, to honor the display parameter just to optimize for popups.

RATIONALE:

The spec says "The Authorization Server SHOULD display [...] CONSISTENT WITH a popup" and not "create a popup".

It looks like that "display" parameter appeared in the standard as a result of the input of this group. Look at this part of the charter:

"Although it is possible for Relying Parties to open a popup window for the user to authenticate at the OpenID Provider using the Provider's default user interface, the overall user experience can be optimized if the OP was aware that its UI was running within a popup. For instance, an OP may want to resize the popup browser window when using the popup interface, but would probably not want to resize the full browser window when using the default redirect interface. Another optimization is that the OP can close the popup, rather than return a negative assertion if the user chooses to cancel the authentication request."

So "consistent with" for me it means "to be aware of being running within a popup window that my caller created".

I would expect the test to be adjusted to do so.

Authorization Code Reuse Test Partial Result

When running the authorization code reuse tests (both the immediate and thirty-second delay tests) a PARTIAL RESULT message (with associated question mark on status bubble) is shown, despite a conformant 403 Access Denied response with error invalid_grant, as is consistent with the OAuth 2.0 specification. [RFC 6749]

 invalid_grant
               The provided authorization grant (e.g., authorization
               code, resource owner credentials) or refresh token is
               invalid, expired, revoked, does not match the redirection
               URI used in the authorization request, or was issued to
               another client.

These tests return green in the old testing environment, as I would expect.

Old:

New:

don't display Dynamic Registration tests for OP that uses static configuration

When I register my OP and configure it without support for dynamic client registration, in the test GUI there’s still a section for dynamic client registration that subsequently fails to run. The GUI should not display features that have not been configured for the instance.

Copy the testing profiles from old-op to new-op

As discussed on today's call, we need to copy the testing profiles created on old-op to new-op before we switch the domain names to make new-op the default. Can you do that, Roland? Thanks.

Port 443 needs to be omitted from paths when running on default https port

As Hans described in e-mail, otherwise the paths won't match and tests will fail.

Per today's call, Roland said that this code is localized to only a few lines for RP tests. He is already working on this.

Separate but similar changes are also needed in the OP testing code.

UserData request returns invalid Bearer token

When I test with the public test server and request the userdata, using the access_token from the authorise of the id_token token, a 400 is returned. Invalid Bearer token

port assignment for new registrations fails

There seems to be a problem with the port assignment of new registrations:

Now about the tool: I think we are having some (concurrency?) issues in
the new version! I just registered a new test instance. This was the
success message:

Your test instance "https://auth.freedom-id.de:basic-autoreg" has been
start as https://op.certification.openid.net:60001

However, that port is bringing me to the test instance of another issuer
which is not mine (idam.metrosystems.net). Could you please double check
what is going on?

I guess it is always going to take 60001 for new registrations?

(PS: I've manually fixed this for the tester using port 61011)

tag and deploy release 1.0.0

Submit for certification: angular-auth-oidc-client for the Implicit RP profile

I want to submit my certification test but the mail [email protected] does not work. How can I continue? 2.5 MB zip

Bug in the test OP-request_uri-Unsigned

When running said test case with client auto registration enabled, the test tool registers a client but apparently does NOT provide a request_uri in the client profile. My server thus does not enforce the request_uri in the auth request.

In any case: Whatever the reason for the server not enforcing the request_uri parameter, I am passing the test by simply ignoring the request_uri parameter in the auth request. The implementation is thus not effective.

What about not providing all parameters in the auth request and expecting the auth endpoint to dig them from request_uri (and verify for it)?

include or remove fedoidc dependency

Right now oidctest depends on fedoidc:

Installed /usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg
Processing dependencies for oidctest==0.7.0
Searching for fedoidc
Reading https://pypi.python.org/simple/fedoidc/
Couldn't find index page for 'fedoidc' (maybe misspelled?)
Scanning index of all packages (this may take a while)
Reading https://pypi.python.org/simple/
No local packages or download links found for fedoidc
error: Could not find suitable distribution for Requirement.parse('fedoidc')

So, either the oidc-certification repository needs to fork fedoidc too or it needs to be separated out.

Types for claims returned not being checked

We are not flagging it when claims are returned with the wrong JSON types. For instance, the Mvine results returned "middle_name": null - which isn't a string as required and "updated_at": "20170328081544Z" - when a number is required. These results currently are PASSED whereas they should be FAILED.

We should also be issuing WARNINGs when empty strings are returned as claim values - such as "middle_name": "".

new-op OP-nonce-NoReq-noncode should provide intermediate screen like other "reject" tests

From: Jaromir Talir [mailto:[email protected]]
Sent: Thursday, May 25, 2017 9:16 AM
To: Mike Jones [email protected]
Cc: 'Roland Hedberg' [email protected]; Hans Zandbelt [email protected]
Subject: Re: Testing https://new-op.certification.openid.net:60000/

...

test OP-nonce-NoReq-noncode should probably provide intermediate screen like other "reject" tests i.e. OP-redirect_uri-Missing. In this state it only displays error message on provider side but there is no way how to "mark" this test as completed.

OP-nonce-NoReq-noncode in code+token

While it is clear that nonce is required for I, IT, CI and CIT, for CT this is debatable since no ID Token is returned from the authorization endpoint.

After a little digging it looks like the debate was already had in connect/issues/972.

We should enable this test for CT.

links for mod_auth_openidc on the RP test pages are outdated and return HTTP 500

The RP test documentation at http://openid.net/certification/rp_testing/ lists links that result in errors.
Clicking:
https://rp.certification.openid.net:8080/mod_auth_openidc/rp-response_type-code
And selecting then the "code" profile will take you to https://rp.certification.openid.net:8080/mod_auth_openidc/list?profile=C
which will result in the following error in the browser:

500 Internal Server Error

The server encountered an unexpected condition which prevented it from fulfilling the request.

Traceback (most recent call last):
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cprequest.py", line 642, in respond
    self.get_resource(path_info)
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cprequest.py", line 760, in get_resource
    dispatch(path)
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cpdispatch.py", line 294, in __call__
    func, vpath = self.find_handler(path_info)
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cpdispatch.py", line 357, in find_handler
    subnode = dispatch(vpath=iternames)
  File "/usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg/oidctest/cp/op.py", line 376, in _cp_dispatch
    self.flows[test_id]
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.0-py3.5.egg/otest/flow.py", line 79, in __getitem__
    fp = open(fname, 'r')
FileNotFoundError: [Errno 2] No such file or directory: '/home/oictest/oidf/oidc_cp_rplib/flows/list.json'

It looks like doing the same for more recent clients still works i.e. doesn't take you to a non-existing mod_auth_openidc/list?profile=C page but to list?profile=C.

Perhaps the code changed and this client registration is obsolete?

cannot delete OP test instance

Deleting a registered instance from the OP test suite results in:

Traceback (most recent call last):
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/lib/encoding.py", line 220, in call
    self.body = self.oldhandler(*args, **kwargs)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cpdispatch.py", line 60, in call
    return self.callable(*self.args, **self.kwargs)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/tt/action.py", line 147, in index
    return self.delete(iss, tag, ev)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/tt/action.py", line 244, in delete
    _key = self.app.assigned_ports(*uqp)
TypeError: 'AssignedPorts' object is not callable

NoneType' object has no attribute 'status_code' with static configuration

When OPs use statically provided configuration values in the UI rather than service a Discovery document from the OP, errors seem to occur e.g. with OP-Response-Missing as below:

Test info
Profile: {'openid-configuration': 'no-config', 'response_type': 'code', 'crypto': 'none+encrypt', 'registration': 'static'}
Timestamp: 2017-05-24T11:14:14Z
Test description: Authorization request missing the response_type parameter [Basic, Implicit, Hybrid]
Test ID: OP-Response-Missing
Issuer: https://win10-vm-cf.technodat.at/oidc
________________________________________
Test output

__AuthorizationRequest:pre__
[check-response-type]
        status: OK
        description: Checks that the asked for response type are among the supported
[check-endpoint]
        status: OK
        description: Checks that the necessary endpoint exists at a server
__After completing the test flow:__
[-]
        status: ERROR
        info: 'NoneType' object has no attribute 'status_code'
________________________________________
Trace output

2.002024 ------------ AuthorizationRequest ------------
2.003602 --> URL: https://win10-vm-cf.technodat.at/oidc/authorize?scope=openid&state=9FpbVzG9BAbcYl1j&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A61016%2Fauthz_cb&client_id=49152
2.003610 --> BODY: None
2.187588 <-- error=invalid_request&error_description=Required%20Parameter%20%22response_type%22%20not%20supplied.
2.188559 AuthorizationErrorResponse: {
  "error": "invalid_request",
  "error_description": "Required Parameter \"response_type\" not supplied."
}
2.188842 ==== END ====
2.192292 [ERROR] AttributeError:'NoneType' object has no attribute 'status_code'
________________________________________
Result
PARTIAL RESULT

OP-Response-form_post fails silently for response_type id_token

See below. This is only for response_type=id_token; response_type=id_token token works for the tester. @rohe: can you tell what is off here? I do believe the tester should get some feedback in the log.

2017-08-09 10:33:13,625 oidctest.optt:INFO ent:82.74.246.215, vpath: ['OP-Response-form_post']
2017-08-09 10:33:13,627 oic.utils.keyio:DEBUG loading keys for issuer: https://203.94.95.140:9443/oauth2/token
2017-08-09 10:33:13,627 oic.utils.keyio:DEBUG pcr: {'issuer': 'https://203.94.95.140:9443/oauth2/token', 'scopes_supported': ['openid', 'address', 'email', 'phone', 'profile'], 'id_token_encryption_alg_values_supported': ['RS256'], 'response_types_supported': ['code'], 'authorization_endpoint': 'https://203.94.95.140:9443/oauth2/authorize', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic'], 'grant_types_supported': ['authorization_code', 'refresh_token'], 'jwks_uri': 'https://203.94.95.140:9443/oauth2/jwks', 'userinfo_endpoint': 'https://203.94.95.140:9443/oauth2/userinfo', 'acr_values_supported': ['urn:mace:incommon:iap:silver'], 'token_endpoint': 'https://203.94.95.140:9443/oauth2/token', 'subject_types_supported': ['public'], 'id_token_signing_alg_values_supported': ['RS256']}
2017-08-09 10:33:13,627 oidctest.session:INFO session_setup
2017-08-09 10:33:13,627 otest.aus.tool:INFO <=<=<=<=< OP-Response-form_post >=>=>=>=>
2017-08-09 10:33:13,627 otest.aus.tool:INFO <--<-- 0 --- Webfinger -->-->
2017-08-09 10:33:13,628 otest.aus.tool:INFO <--<-- 1 --- Discovery -->-->
2017-08-09 10:33:13,628 otest.aus.tool:INFO <--<-- 2 --- Registration -->-->
2017-08-09 10:33:13,628 otest.aus.tool:INFO <--<-- 3 --- AsyncAuthn -->-->
2017-08-09 10:33:13,629 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:10:33:13] "GET /OP-Response-form_post HTTP/1.1" 303 606 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 10:33:16,846 otest.aus.tool:INFO <--<-- 3 --- <class 'oidctest.op.oper.AsyncAuthn'>
2017-08-09 10:33:16,847 otest.aus.request:INFO Response: {'access_token': 'c57bfe2e-3612-32f1-80e5-2d28af0a0ddc', 'token_type': 'Bearer', 'expires_in': '3600', 'session_state': '389ff09d0114eef523f0d8b8a951eda0477d03e8a8bfd6fdef5afc8fc1cea39d.fE70k7HkHOqDpsw62-ycxw', 'state': 'jcyW6iK35WeZNL71', 'id_token': 'eyJ4NXQiOiJNalEwTXpNNU5qbGhOVEJtWmpsaU5EWmpNRFEyTlRRM01EUXhaVEJqWm1ZNU1ERmlNekUyTkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiT3UwSHFCZUNjOURSamh0SE8zWWtGZyIsInN1YiI6Ikhhc2luaSBEaWxhbmthIFdpdGhhcmFuYSIsImF1ZCI6WyI4Q0lNRHRpZE9VQ3hWZ3hoUW9IU1VPRXpPVjRhIl0sImF6cCI6IjhDSU1EdGlkT1VDeFZneGhRb0hTVU9Fek9WNGEiLCJhdXRoX3RpbWUiOjE1MDIyODkxOTMsImlzcyI6Imh0dHBzOlwvXC8yMDMuOTQuOTUuMTQwOjk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE1MDIyOTI3OTYsIm5vbmNlIjoiVUM3OHBGRnF6VU9aR1J2TCIsImlhdCI6MTUwMjI4OTE5Nn0.ij_CVIsKiQlCpsMDeimg9S34goKFnWPdxBAOsKEEi3ZzsqL3HKadBrDNdQUCSr2oZR11gKSdE0I24dASln2n09e_FP7HpoR6pJmfm8-RarBd5teqG-HMGqMTKNC3agX4rmBLtrWUPz-sGRsRz9kkrt8CaAMoahSwE0eASqRKD4zoKPiuDhd9zOfzUsswXqWtdMYSf7V-CuC9sUfOOoCRHHKS5jfrWGVmqLYrFZCtjxriL7rcmunNxbOZskvFmQO1uTxdMG6JIpwv6yKuA4lLYMq1YADRcTc3ho6Hd2VnDWZylThq8kFNhbCu3WPMsexU4d77rEaZJF6GGkYGK6w6fw'}
2017-08-09 10:33:16,847 oic.oauth2:DEBUG Initial response parsing => "{'access_token': '<REDACTED>', 'token_type': 'Bearer', 'expires_in': '3600', 'session_state': '389ff09d0114eef523f0d8b8a951eda0477d03e8a8bfd6fdef5afc8fc1cea39d.fE70k7HkHOqDpsw62-ycxw', 'state': 'jcyW6iK35WeZNL71', 'id_token': 'eyJ4NXQiOiJNalEwTXpNNU5qbGhOVEJtWmpsaU5EWmpNRFEyTlRRM01EUXhaVEJqWm1ZNU1ERmlNekUyTkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiT3UwSHFCZUNjOURSamh0SE8zWWtGZyIsInN1YiI6Ikhhc2luaSBEaWxhbmthIFdpdGhhcmFuYSIsImF1ZCI6WyI4Q0lNRHRpZE9VQ3hWZ3hoUW9IU1VPRXpPVjRhIl0sImF6cCI6IjhDSU1EdGlkT1VDeFZneGhRb0hTVU9Fek9WNGEiLCJhdXRoX3RpbWUiOjE1MDIyODkxOTMsImlzcyI6Imh0dHBzOlwvXC8yMDMuOTQuOTUuMTQwOjk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE1MDIyOTI3OTYsIm5vbmNlIjoiVUM3OHBGRnF6VU9aR1J2TCIsImlhdCI6MTUwMjI4OTE5Nn0.ij_CVIsKiQlCpsMDeimg9S34goKFnWPdxBAOsKEEi3ZzsqL3HKadBrDNdQUCSr2oZR11gKSdE0I24dASln2n09e_FP7HpoR6pJmfm8-RarBd5teqG-HMGqMTKNC3agX4rmBLtrWUPz-sGRsRz9kkrt8CaAMoahSwE0eASqRKD4zoKPiuDhd9zOfzUsswXqWtdMYSf7V-CuC9sUfOOoCRHHKS5jfrWGVmqLYrFZCtjxriL7rcmunNxbOZskvFmQO1uTxdMG6JIpwv6yKuA4lLYMq1YADRcTc3ho6Hd2VnDWZylThq8kFNhbCu3WPMsexU4d77rEaZJF6GGkYGK6w6fw'}"
2017-08-09 10:33:16,847 oic.oauth2:DEBUG Verify response with {'client_id': '8CIMDtidOUCxVgxhQoHSUOEzOV4a', 'iss': 'https://203.94.95.140:9443/oauth2/token', 'keyjar': <KeyJar(issuers=['', 'https://203.94.95.140:9443/oauth2/token'])>}
2017-08-09 10:33:16,848 oic.oauth2.message:DEBUG Raw JSON: {'aud': ['8CIMDtidOUCxVgxhQoHSUOEzOV4a'], 'at_hash': 'Ou0HqBeCc9DRjhtHO3YkFg', 'auth_time': 1502289193, 'exp': 1502292796, 'nonce': 'UC78pFFqzUOZGRvL', 'azp': '8CIMDtidOUCxVgxhQoHSUOEzOV4a', 'iss': 'https://203.94.95.140:9443/oauth2/token', 'iat': 1502289196, 'sub': 'Hasini Dilanka Witharana'}
2017-08-09 10:33:16,848 oic.oauth2.message:DEBUG JWS header: {'alg': 'RS256', 'kid': 'd0ec514a32b6f88c0abd12a2840699bdd3deba9d', 'x5t': 'MjQ0MzM5NjlhNTBmZjliNDZjMDQ2NTQ3MDQxZTBjZmY5MDFiMzE2NA'}
2017-08-09 10:33:16,848 root:DEBUG KeyBundle fetch keys from: https://203.94.95.140:9443/oauth2/jwks
2017-08-09 10:33:16,850 requests.packages.urllib3.connectionpool:INFO Starting new HTTPS connection (1): 203.94.95.140
2017-08-09 10:33:17,863 requests.packages.urllib3.connectionpool:DEBUG "GET /oauth2/jwks HTTP/1.1" 200 460
2017-08-09 10:33:17,864 oic.utils.keyio:DEBUG Loaded JWKS: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d","alg":"RS256","n":"ALvJXywkFdoW4s_DhgPG2iiNRNXIBP0Cynn2uDndhtinsbWgMEhEq-SAmpFV_MOrVOfiISmEECrfVN_1NGnvbV39OIOolodHUZZbK_ZjoI0mcUCtPf8oFLBR_LMi-Wg94XkVGMyVmfyjrHeewV7iNkGZ7hIzdINPuYzb57MH8A_7TNNbaLWiaSN8TftiWbGgUQnNBucgP6XVvNwGuCBN9BC-e8JCu7vGA5d1E3Jovhzu-F0JitVRKkpwPv5haNzNenEZZtj02dmdROYHeI_ubFdT-b-t7qshZ4hFNMz136KwW9OqYEgaCEUAYp7Ukg8hJsrlc1tKXNnmAuQ4X4JN9-0"}]} from https://203.94.95.140:9443/oauth2/jwks
2017-08-09 10:33:17,864 oic.utils.keyio:DEBUG Loaded JWKS: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d","alg":"RS256","n":"ALvJXywkFdoW4s_DhgPG2iiNRNXIBP0Cynn2uDndhtinsbWgMEhEq-SAmpFV_MOrVOfiISmEECrfVN_1NGnvbV39OIOolodHUZZbK_ZjoI0mcUCtPf8oFLBR_LMi-Wg94XkVGMyVmfyjrHeewV7iNkGZ7hIzdINPuYzb57MH8A_7TNNbaLWiaSN8TftiWbGgUQnNBucgP6XVvNwGuCBN9BC-e8JCu7vGA5d1E3Jovhzu-F0JitVRKkpwPv5haNzNenEZZtj02dmdROYHeI_ubFdT-b-t7qshZ4hFNMz136KwW9OqYEgaCEUAYp7Ukg8hJsrlc1tKXNnmAuQ4X4JN9-0"}]} from https://203.94.95.140:9443/oauth2/jwks
2017-08-09 10:33:17,865 oic.oauth2.message:DEBUG Key set summary for https://203.94.95.140:9443/oauth2/token: RSA:sig:d0ec514a32b6f88c0abd12a2840699bdd3deba9d
2017-08-09 10:33:17,865 oic.utils.keyio:DEBUG Issuer '8CIMDtidOUCxVgxhQoHSUOEzOV4a' not found, available key issuers: ['', 'https://203.94.95.140:9443/oauth2/token']
2017-08-09 10:33:17,865 oic.oauth2.message:DEBUG Key set summary for 8CIMDtidOUCxVgxhQoHSUOEzOV4a: 
2017-08-09 10:33:17,865 oic.oauth2.message:DEBUG Found signing key.
2017-08-09 10:33:17,865 jwkest.jws:DEBUG Picking key by key type=RSA
2017-08-09 10:33:17,866 jwkest.jws:DEBUG Picking key based on alg=RS256, kid=d0ec514a32b6f88c0abd12a2840699bdd3deba9d and use=
2017-08-09 10:33:17,866 jwkest.jws:DEBUG Picked: kid:G91Zi19W7Lwa0rGu570gwP_rWfJTBUaWsghWEVEvdVs, use:sig, kty:RSA
2017-08-09 10:33:17,866 jwkest.jws:DEBUG Picked: kid:d0ec514a32b6f88c0abd12a2840699bdd3deba9d, use:sig, kty:RSA
2017-08-09 10:33:17,867 jwkest.jws:DEBUG Verified message using key with kid=d0ec514a32b6f88c0abd12a2840699bdd3deba9d
2017-08-09 10:33:17,867 otest.aus.request:INFO Parsed response: {'access_token': 'c57bfe2e-3612-32f1-80e5-2d28af0a0ddc', 'token_type': 'Bearer', 'expires_in': '3600', 'session_state': '389ff09d0114eef523f0d8b8a951eda0477d03e8a8bfd6fdef5afc8fc1cea39d.fE70k7HkHOqDpsw62-ycxw', 'state': 'jcyW6iK35WeZNL71', 'id_token': {'sub': 'Hasini Dilanka Witharana', 'aud': ['8CIMDtidOUCxVgxhQoHSUOEzOV4a'], 'auth_time': 1502289193, 'iat': 1502289196, 'iss': 'https://203.94.95.140:9443/oauth2/token', 'nonce': 'UC78pFFqzUOZGRvL', 'at_hash': 'Ou0HqBeCc9DRjhtHO3YkFg', 'exp': 1502292796, 'azp': '8CIMDtidOUCxVgxhQoHSUOEzOV4a'}}
2017-08-09 10:33:17,867 otest.aus.tool:INFO <=<=<=<=< OP-Response-form_post >=>=>=>=>
2017-08-09 10:33:17,868 otest.aus.tool:INFO <--<-- 4 --- Done -->-->
2017-08-09 10:33:17,868 otest.verify:DEBUG do_check(verify-authn-response, {})
2017-08-09 10:33:17,870 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:10:33:17] "POST /authz_cb HTTP/1.1" 303 162 "https://203.94.95.140:9443/oauth2/authorize" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 10:33:18,050 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:10:33:18] "GET /display HTTP/1.1" 200 17086 "https://203.94.95.140:9443/oauth2/authorize" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 10:35:13,729 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:10:35:13] "GET /display HTTP/1.1" 200 17086 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:16:23,199 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /display HTTP/1.1" 200 17086 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:23,422 oidctest.optt:INFO ent:91.52.58.60, vpath: ['static', 'bootstrap', 'css', 'bootstrap.min.css']
2017-08-09 11:16:23,422 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:16:23] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/css/bootstrap.min.css' to fulfill '/static/bootstrap/css/bootstrap.min.css'
2017-08-09 11:16:23,423 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /static/bootstrap/css/bootstrap.min.css HTTP/1.1" 200 121200 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:23,643 oidctest.optt:INFO ent:91.52.58.60, vpath: ['static', 'theme.css']
2017-08-09 11:16:23,644 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:16:23] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/theme.css' to fulfill '/static/theme.css'
2017-08-09 11:16:23,644 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /static/theme.css HTTP/1.1" 200 11 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:23,761 oidctest.optt:INFO ent:91.52.58.60, vpath: ['static', 'bootstrap', 'js', 'bootstrap.min.js']
2017-08-09 11:16:23,761 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:16:23] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/js/bootstrap.min.js' to fulfill '/static/bootstrap/js/bootstrap.min.js'
2017-08-09 11:16:23,762 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /static/bootstrap/js/bootstrap.min.js HTTP/1.1" 200 37045 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:23,762 oidctest.optt:INFO ent:91.52.58.60, vpath: ['static', 'logo.png']
2017-08-09 11:16:23,763 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:16:23] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/logo.png' to fulfill '/static/logo.png'
2017-08-09 11:16:23,763 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /static/logo.png HTTP/1.1" 200 8530 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:23,878 oidctest.optt:INFO ent:91.52.58.60, vpath: ['static', 'bootstrap', 'fonts', 'glyphicons-halflings-regular.woff2']
2017-08-09 11:16:23,879 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:16:23] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/fonts/glyphicons-halflings-regular.woff2' to fulfill '/static/bootstrap/fonts/glyphicons-halflings-regular.woff2'
2017-08-09 11:16:23,879 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:23] "GET /static/bootstrap/fonts/glyphicons-halflings-regular.woff2 HTTP/1.1" 200 18028 "https://op.certification.openid.net:60024/static/bootstrap/css/bootstrap.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:24,051 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:24] "GET /favicon.ico HTTP/1.1" 200 1406 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:16:26,606 cherrypy.access.140289559842376:INFO 91.52.58.60 - - [09/Aug/2017:11:16:26] "GET /test_info/OP-Response-form_post HTTP/1.1" 200 9678 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:44:23,988 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:44:23] "GET /display HTTP/1.1" 200 17086 "" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-A520F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
2017-08-09 11:44:24,559 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'bootstrap', 'css', 'bootstrap.min.css']
2017-08-09 11:44:24,560 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:44:24] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/css/bootstrap.min.css' to fulfill '/static/bootstrap/css/bootstrap.min.css'
2017-08-09 11:44:24,561 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:44:24] "GET /static/bootstrap/css/bootstrap.min.css HTTP/1.1" 200 121200 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-A520F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
2017-08-09 11:44:24,827 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'theme.css']
2017-08-09 11:44:24,827 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:44:24] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/theme.css' to fulfill '/static/theme.css'
2017-08-09 11:44:24,828 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:44:24] "GET /static/theme.css HTTP/1.1" 200 11 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-A520F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
2017-08-09 11:44:25,098 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'bootstrap', 'js', 'bootstrap.min.js']
2017-08-09 11:44:25,098 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:44:25] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/js/bootstrap.min.js' to fulfill '/static/bootstrap/js/bootstrap.min.js'
2017-08-09 11:44:25,099 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:44:25] "GET /static/bootstrap/js/bootstrap.min.js HTTP/1.1" 200 37045 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-A520F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
2017-08-09 11:44:25,104 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'logo.png']
2017-08-09 11:44:25,104 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:44:25] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/logo.png' to fulfill '/static/logo.png'
2017-08-09 11:44:25,105 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:44:25] "GET /static/logo.png HTTP/1.1" 200 8530 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-A520F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/5.4 Chrome/51.0.2704.106 Mobile Safari/537.36"
2017-08-09 11:51:27,729 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:27] "GET /display HTTP/1.1" 200 17086 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:28,252 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'bootstrap', 'css', 'bootstrap.min.css']
2017-08-09 11:51:28,253 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:51:28] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/css/bootstrap.min.css' to fulfill '/static/bootstrap/css/bootstrap.min.css'
2017-08-09 11:51:28,253 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:28] "GET /static/bootstrap/css/bootstrap.min.css HTTP/1.1" 200 121200 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:28,258 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'theme.css']
2017-08-09 11:51:28,258 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:51:28] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/theme.css' to fulfill '/static/theme.css'
2017-08-09 11:51:28,259 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:28] "GET /static/theme.css HTTP/1.1" 200 11 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:28,519 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'bootstrap', 'js', 'bootstrap.min.js']
2017-08-09 11:51:28,520 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:51:28] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/js/bootstrap.min.js' to fulfill '/static/bootstrap/js/bootstrap.min.js'
2017-08-09 11:51:28,521 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:28] "GET /static/bootstrap/js/bootstrap.min.js HTTP/1.1" 200 37045 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:29,033 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'logo.png']
2017-08-09 11:51:29,033 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:51:29] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/logo.png' to fulfill '/static/logo.png'
2017-08-09 11:51:29,034 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:29] "GET /static/logo.png HTTP/1.1" 200 8530 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:29,082 oidctest.optt:INFO ent:124.43.88.66, vpath: ['static', 'bootstrap', 'fonts', 'glyphicons-halflings-regular.woff2']
2017-08-09 11:51:29,083 cherrypy.error.140289559842376:INFO [09/Aug/2017:11:51:29] TOOLS.STATICDIR Checking file '/usr/local/oidf/oidc_op/static/bootstrap/fonts/glyphicons-halflings-regular.woff2' to fulfill '/static/bootstrap/fonts/glyphicons-halflings-regular.woff2'
2017-08-09 11:51:29,083 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:29] "GET /static/bootstrap/fonts/glyphicons-halflings-regular.woff2 HTTP/1.1" 200 18028 "https://op.certification.openid.net:60024/static/bootstrap/css/bootstrap.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:51:29,701 cherrypy.access.140289559842376:INFO 124.43.88.66 - - [09/Aug/2017:11:51:29] "GET /favicon.ico HTTP/1.1" 200 1406 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
2017-08-09 11:58:46,939 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:58:46] "GET /display HTTP/1.1" 200 17086 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:58:52,522 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:58:52] "GET /pedit HTTP/1.1" 200 3424 "https://op.certification.openid.net:60024/display" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:58:55,751 oidctest.tt.rest:INFO Read config: iss="https://203.94.95.140:9443/oauth2/token", tag="OIDC_BASIC"
2017-08-09 11:58:55,751 oidctest.tt.rest:INFO Store config: iss="https://203.94.95.140:9443/oauth2/token", tag="OIDC_BASIC", info={'provider_info': {'issuer': 'https://203.94.95.140:9443/oauth2/token', 'scopes_supported': ['openid', 'address', 'email', 'phone', 'profile'], 'id_token_encryption_alg_values_supported': ['RS256'], 'response_types_supported': ['code'], 'authorization_endpoint': 'https://203.94.95.140:9443/oauth2/authorize', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic'], 'grant_types_supported': ['authorization_code', 'refresh_token'], 'jwks_uri': 'https://203.94.95.140:9443/oauth2/jwks', 'userinfo_endpoint': 'https://203.94.95.140:9443/oauth2/userinfo', 'acr_values_supported': ['urn:mace:incommon:iap:silver'], 'token_endpoint': 'https://203.94.95.140:9443/oauth2/token', 'subject_types_supported': ['public'], 'id_token_signing_alg_values_supported': ['RS256']}, 'tool': {'profile': 'I.F.F.F', 'tag': 'OIDC_BASIC', 'issuer': 'https://203.94.95.140:9443/oauth2/token', 'insecure': True}, 'registration_response': {'client_secret': 'GmgjpPfv6t7OjVCZczZPe6Lz2JUa', 'id_token_encrypted_response_alg': 'RS256', 'id_token_signed_response_alg': 'RS256', 'redirect_uris': ['https://op.certification.openid.net:60024/authz_cb'], 'client_id': '8CIMDtidOUCxVgxhQoHSUOEzOV4a'}}
2017-08-09 11:58:55,751 oidctest.tt.rest:INFO Write configuration file: entities/https%3A%2F%2F203.94.95.140%3A9443%2Foauth2%2Ftoken/OIDC_BASIC
2017-08-09 11:58:55,764 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:58:55] "POST /profile HTTP/1.1" 201 14222 "https://op.certification.openid.net:60024/pedit" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:59:00,926 oidctest.optt:INFO ent:82.74.246.215, vpath: ['OP-Response-form_post']
2017-08-09 11:59:00,928 oic.utils.keyio:DEBUG loading keys for issuer: https://203.94.95.140:9443/oauth2/token
2017-08-09 11:59:00,928 oic.utils.keyio:DEBUG pcr: {'issuer': 'https://203.94.95.140:9443/oauth2/token', 'scopes_supported': ['openid', 'address', 'email', 'phone', 'profile'], 'id_token_encryption_alg_values_supported': ['RS256'], 'response_types_supported': ['code'], 'authorization_endpoint': 'https://203.94.95.140:9443/oauth2/authorize', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic'], 'grant_types_supported': ['authorization_code', 'refresh_token'], 'jwks_uri': 'https://203.94.95.140:9443/oauth2/jwks', 'userinfo_endpoint': 'https://203.94.95.140:9443/oauth2/userinfo', 'acr_values_supported': ['urn:mace:incommon:iap:silver'], 'token_endpoint': 'https://203.94.95.140:9443/oauth2/token', 'subject_types_supported': ['public'], 'id_token_signing_alg_values_supported': ['RS256']}
2017-08-09 11:59:00,928 oidctest.session:INFO session_setup
2017-08-09 11:59:00,929 otest.aus.tool:INFO <=<=<=<=< OP-Response-form_post >=>=>=>=>
2017-08-09 11:59:00,929 otest.aus.tool:INFO <--<-- 0 --- Webfinger -->-->
2017-08-09 11:59:00,929 otest.aus.tool:INFO <--<-- 1 --- Discovery -->-->
2017-08-09 11:59:00,929 otest.aus.tool:INFO <--<-- 2 --- Registration -->-->
2017-08-09 11:59:00,930 otest.aus.tool:INFO <--<-- 3 --- AsyncAuthn -->-->
2017-08-09 11:59:00,931 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:59:00] "GET /OP-Response-form_post HTTP/1.1" 303 594 "https://op.certification.openid.net:60024/profile" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:59:10,207 otest.aus.tool:INFO <--<-- 3 --- <class 'oidctest.op.oper.AsyncAuthn'>
2017-08-09 11:59:10,207 otest.aus.request:INFO Response: {}
2017-08-09 11:59:10,207 oic.oauth2:DEBUG Initial response parsing => "{}"
2017-08-09 11:59:10,207 oic.oauth2:ERROR Missing or faulty response
2017-08-09 11:59:10,208 otest.handling:ERROR [run_sequence] ExcList: Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/aus/request.py", line 322, in parse_response
    keyjar=_conv.entity.keyjar  # , algs=algs
  File "/usr/local/lib/python3.5/dist-packages/oic-0.10.0.0-py3.5.egg/oic/oauth2/__init__.py", line 581, in parse_response
    raise ResponseError("Missing or faulty response")
oic.oauth2.exception.ResponseError: Missing or faulty response

2017-08-09 11:59:10,208 otest.handling:ERROR [run_sequence] Exception: Missing or faulty response
2017-08-09 11:59:10,211 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:59:10] "GET /authz_cb HTTP/1.1" 200 14222 "https://203.94.95.140:9443/authenticationendpoint/oauth2_consent.do?loggedInUser=Hasini+Dilanka+Witharana&application=oidc_test&scope=openid&sessionDataKeyConsent=f9ee3db0-62e1-4be6-b9e5-09b4a5bfb932&spQueryParams=state%3DWP20Ou6H43VC7zX5%26redirect_uri%3Dhttps%253A%252F%252Fop.certification.openid.net%253A60024%252Fauthz_cb%26client_id%3D8CIMDtidOUCxVgxhQoHSUOEzOV4a%26response_type%3Did_token%26nonce%3DrUaX2l3RoHz9Zifq%26response_mode%3Dform_post%26scope%3Dopenid" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"

incidental 500 on Discovery

Sometimes the RP test suite is stalled and only returns HTTP 500 on Discovery document requests, e.g.:

Message: '86.110.65.8 - - [09/May/2017:08:21:45] "GET /mod_auth_openidc/rp-nonce-unless-code-flow/.well-known/openid-configuration HTTP/1.1" 500 1967 "" "mod_auth_openidc"'
Arguments: ()
--- Logging error ---
Traceback (most recent call last):
  File "/usr/lib/python3.5/logging/__init__.py", line 983, in emit
    stream.write(self.terminator)
OSError: [Errno 5] Input/output error
Call stack:
  File "/usr/lib/python3.5/threading.py", line 882, in _bootstrap
    self._bootstrap_inner()
  File "/usr/lib/python3.5/threading.py", line 914, in _bootstrap_inner
    self.run()
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/wsgiserver/__init__.py", line 1594, in run
    conn.communicate()
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/wsgiserver/__init__.py", line 1408, in communicate
    req.respond()
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/wsgiserver/__init__.py", line 862, in respond
    self.server.gateway(self).respond()
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/wsgiserver/__init__.py", line 2335, in respond
    response = self.req.server.wsgi_app(self.env, self.start_response)
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cptree.py", line 287, in __call__
    return app(environ, start_response)
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cptree.py", line 153, in __call__
    return self.wsgiapp(environ, start_response)
  File "/home/oictest/.local/lib/python3.5/site-packages/cherrypy/_cpwsgi.py", line 450, in __call__
    return head(environ, start_response)

This requires a restart to make things operational again.

log/tar file creation fails

The new-op seems to have an issue with logfile download; it also shows weird issuer names that have been prefixed with "s_", see:
https://new-op.certification.openid.net:60016/log

Which may be the reason for not being able to find the log directory.

Trying to download a log archive results in http 500.
On my docker instance I can reproduce this and the following error shows:

127.0.0.1 - - [10/Jun/2017:02:48:12] "GET /log/s_zmartzone.eu/id_token/I.F.T.F HTTP/1.1" 200 466 "https://localhost:60003/log/s_zmartzone.eu/id_token" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
[10/Jun/2017:02:48:14] HTTP 
Traceback (most recent call last):
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cprequest.py", line 670, in respond
    response.body = self.handler()
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/lib/encoding.py", line 220, in __call__
    self.body = self.oldhandler(*args, **kwargs)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cpdispatch.py", line 60, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/cp/log_handler.py", line 264, in index
    return self.create_rp_tar_archive(op_id, tag, profile)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/oidctest-0.7.0-py3.6.egg/oidctest/cp/log_handler.py", line 300, in create_rp_tar_archive
    raise cherrypy.HTTPError(400, b'No such directory')
cherrypy._cperror.HTTPError: (400, b'No such directory')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cprequest.py", line 678, in respond
    inst.set_response()
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cperror.py", line 405, in set_response
    message=self._message)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cperror.py", line 411, in get_error_page
    return get_error_page(*args, **kwargs)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cperror.py", line 505, in get_error_page
    kwargs[k] = escape_html(kwargs[k])
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/CherryPy-8.9.1-py3.6.egg/cherrypy/_cpcompat.py", line 350, in escape_html
    return escape(s, quote=escape_quote)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/html/__init__.py", line 19, in escape
    s = s.replace("&", "&amp;") # Must be done first!
TypeError: a bytes-like object is required, not 'str'
127.0.0.1 - - [10/Jun/2017:02:48:14] "GET /mktar/s_zmartzone.eu/id_token/I.F.T.F HTTP/1.1" 500 823 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"

remove PyOIDC patch

Currently we still need a patch for the new OP to run:
https://github.com/openid-certification/oidctest/blob/master/docker/op_test/pyoidc.patch
we probably need to get rid of this in some way before switching over to the new OP.

remove `rp-token_endpoint-client_secret_basic` from id_token+token

There's an optional test rp-token_endpoint-client_secret_basic for the profile id_token+token at:
https://rp.certification.openid.net:8080/list?profile=IT

which I don't think makes sense there.

Robustness of test OP-UserInfo-Enc

In one of the "extra" tests
https://op.certification.openid.net:60381/test_info/OP-UserInfo-Enc
the test suite aborts for incomprehensible reasons

12.846 fault 'NoneType' object is not subscriptable

(as a matter of fact, I know I shouldn't pass the test, because my
userinfo-endpoint is still delivering a non-encrypted
answer, but I would expect the test to be "red" and not to abort)

add Travis CI build for OP test suite

using @panva's https://github.com/panva/oidc-provider-conformance-tests/tree/new-op, probably using https://github.com/panva/node-oidc-provider as the OP

at_hash has incorrect value rp-response_typeid_token+token

When I test using the public test server for id_token token, the at_hash value in the id_token does not match the at hash calculated from the access_token.

TestData:

https://rp.certification.openid.net:8080/damienbod.id_token_token/rp-response_typeid_token+token

access_token
0ezwGz8LfaBpqjYineXUep6Aszx2GHplBoo%2BdaCzk1KLvMylFMe0SJ%2B7wgWg05GSU2CYeTJdsf%2Bo%2BhxRvJEadrrMveqyS7WvhDsqhtGFANUMl%2Fw%2Fvq4yEGmKsZx2uSvRVahFI3OtXEvRs5Jk%2B017IQ%3D%3D

id_token
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFUMzNNc2tCdjF5b0poZU5Ia0xtVTBfa25WZjliS1lVVkVMSm9ITzZ1TjgifQ.eyJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJhY3IiOiAiUEFTU1dPUkQiLCAiYXVkIjogWyJ6OUM5bFhNTTlOb3AiXSwgImF0X2hhc2giOiAiZDV1UU1GdE5LMjNRekJnREQ5UkFLQSIsICJub25jZSI6ICJOMC43MTk0ODkzNTE2OTYxMjQzMTQ5Nzg2NzkwODc3NCIsICJpc3MiOiAiaHR0cHM6Ly9ycC5jZXJ0aWZpY2F0aW9uLm9wZW5pZC5uZXQ6ODA4MC9kYW1pZW5ib2QuaWRfdG9rZW4tdG9rZW4vcnAtc2NvcGUtdXNlcmluZm8tY2xhaW1zIiwgImV4cCI6IDE0OTc5NTQzMDgsICJhdXRoX3RpbWUiOiAxNDk3ODY3OTA4LCAiaWF0IjogMTQ5Nzg2NzkwOH0.TX46J6AzZT2on7A2F2DOLc5-ERP5CiPh5TYR4sutclGJmEJggnD1J6CUJaaOT1uYtWfTn3hIehneBJsgwFNTcf7E7Hh94pt0l67IsahlnLuqSVxykKsocPpyiCgoieRlypNo9Xy0UbZKf_IHL7jW2xW7V0MMZ4p2GHAgX22yDg3aMZJ-XPV7VHopG_Afbrri47pLEvSfqhMyLZtgHEZAYaF1O66zFq1-9x06pDAb5lWlPMsTjewK5_RPSdDzXl0OPftCawGm4n_Cv8WZzmv5ZqcJH07aZkJHZkvrSA8twkkxoPsbwdwC_gi2D2eZAx8_egIFqgKYU0xUxzT9_JrF8Q

{
"alg": "RS256",
"kid": "aT33MskBv1yoJheNHkLmU0_knVf9bKYUVELJoHO6uN8"
}

"at_hash": "d5uQMFtNK23QzBgDD9RAKA",

access_token data hash : NAynNl-G8Gmg9OltA0f55A

tag and deploy release 2.0.0

claims partial results, used to be green

Not sure what's changed,

OP-claims-Combined:
Error: expected status to be Green, but got "Yellow"
OP-claims-IDToken:
Error: expected status to be Green, but got "Yellow"
OP-claims-Split:
Error: expected status to be Green, but got "Yellow"
OP-claims-acr-essential:
Error: expected status to be Green, but got "Yellow"
OP-claims-auth_time-essential:
Error: expected status to be Green, but got "Yellow"
OP-claims-essential:
Error: expected status to be Green, but got "Yellow"
OP-claims-essential+voluntary:
Error: expected status to be Green, but got "Yellow"

Got these across all profiles just a few minutes ago. (oh and my test instance port changed to 60011)

Test Environment Maintains State Across Flows

In the old environment, when changing the flow the suite of tests was reset. The new test environment does not, and instead maintains state on whatever tests apply to both flows. This could possibly be misleading, and cause tests to not be run to completion.

For instance, switching from id_token token to code id_token token gives:

with the ID Token tests which apply to both already showing green, despite not having been run for the latter.

behavior should be array?

I ran into an issue with the "behavior" element in the JSON test descriptions: they are strings but the operations on them assume arrays, as a lot of them look like

        if "iat" in self.behavior_type:  # missing iat claim

etc.

The self.behavior_type initialization suggests it is stored as an array (https://github.com/openid-certification/oidctest/blob/master/src/oidctest/rp/provider.py#L170) or even object (https://github.com/openid-certification/oidctest/blob/master/src/oidctest/rp/provider.py#L104) but at assignment time it makes it the type of whatever the test description value is set to (https://github.com/openid-certification/oidctest/blob/master/src/oidctest/cp/op_handler.py#L136)

            op.behavior_type = _tc["behavior"]
            op.server.behavior_type = _tc["behavior"]

Since the current tests define behavior as a string e.g.

  "behavior": "aud",

the behavior matching code will actually test for a substring in a string instead of a string in an array. That's dangerous as I named my behavior:

  "behavior": "initiate_login_uri",

which unexpectedly matches iat as well.

In summary, I believe all test descriptions should change to use an array as in:

  "behavior": [ "initiate_login_uri" ],

or else all code handling it would need to change to avoid future name clashes like the one I had.

Gather contact e-mails to notify testers of status changes

As we discussed on today's call, we need to notify those testers that we can about the change to new-op. Can you please extract the e-mail addresses we have, Roland? I realize that this won't be a complete list.

Also, can you please gather the WebFinger e-mail addresses from the RP testing info? Many won't work, but we might as well try to contact the current RP testers too. If that's the best info we have about them, let's use it, even though it will be flawed. Thanks.

new-op OP-Rotation-OP-Enc and OP-Rotation-OP-Sig show empty page

...

OP-Rotation-OP-Enc and OP-Rotation-OP-Sig surprisingly show empty page when I continue test without doing any rotation.

OP-scope-all fails silently for response_type id_token

See below. This is only for response_type=id_token; response_type=id_token token works for the tester. @rohe: can you tell what is off here? I do believe the tester should get some feedback in the log.

2017-08-09 11:59:26,835 oidctest.optt:INFO ent:82.74.246.215, vpath: ['OP-scope-All']
2017-08-09 11:59:26,837 oic.utils.keyio:DEBUG loading keys for issuer: https://203.94.95.140:9443/oauth2/token
2017-08-09 11:59:26,838 oic.utils.keyio:DEBUG pcr: {'issuer': 'https://203.94.95.140:9443/oauth2/token', 'scopes_supported': ['openid', 'address', 'email', 'phone', 'profile'], 'id_token_encryption_alg_values_supported': ['RS256'], 'response_types_supported': ['code'], 'authorization_endpoint': 'https://203.94.95.140:9443/oauth2/authorize', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic'], 'grant_types_supported': ['authorization_code', 'refresh_token'], 'jwks_uri': 'https://203.94.95.140:9443/oauth2/jwks', 'userinfo_endpoint': 'https://203.94.95.140:9443/oauth2/userinfo', 'acr_values_supported': ['urn:mace:incommon:iap:silver'], 'token_endpoint': 'https://203.94.95.140:9443/oauth2/token', 'subject_types_supported': ['public'], 'id_token_signing_alg_values_supported': ['RS256']}
2017-08-09 11:59:26,838 oidctest.session:INFO session_setup
2017-08-09 11:59:26,838 otest.aus.tool:INFO <=<=<=<=< OP-scope-All >=>=>=>=>
2017-08-09 11:59:26,838 otest.aus.tool:INFO <--<-- 0 --- Webfinger -->-->
2017-08-09 11:59:26,838 otest.aus.tool:INFO <--<-- 1 --- Discovery -->-->
2017-08-09 11:59:26,838 otest.aus.tool:INFO <--<-- 2 --- Registration -->-->
2017-08-09 11:59:26,839 otest.aus.tool:INFO <--<-- 3 --- AsyncAuthn -->-->
2017-08-09 11:59:26,840 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:59:26] "GET /OP-scope-All HTTP/1.1" 303 598 "https://op.certification.openid.net:60024/authz_cb" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:59:29,704 cherrypy.access.140289559842376:INFO 82.74.246.215 - - [09/Aug/2017:11:59:29] "GET /authz_cb HTTP/1.1" 200 546 "https://203.94.95.140:9443/authenticationendpoint/oauth2_consent.do?loggedInUser=Hasini+Dilanka+Witharana&application=oidc_test&scope=address+phone+openid+email+profile&sessionDataKeyConsent=c6a8a918-1384-4ae8-9e87-a2dddf491b45&spQueryParams=state%3DpjlGhUtVtJkh8qau%26redirect_uri%3Dhttps%253A%252F%252Fop.certification.openid.net%253A60024%252Fauthz_cb%26client_id%3D8CIMDtidOUCxVgxhQoHSUOEzOV4a%26response_type%3Did_token%26nonce%3Dx4elg1PUruqen3cu%26scope%3Dopenid%2Bprofile%2Bemail%2Baddress%2Bphone" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
2017-08-09 11:59:29,870 otest.aus.tool:INFO <--<-- 3 --- <class 'oidctest.op.oper.AsyncAuthn'>
2017-08-09 11:59:29,870 otest.aus.request:INFO Response: id_token=eyJ4NXQiOiJNalEwTXpNNU5qbGhOVEJtWmpsaU5EWmpNRFEyTlRRM01EUXhaVEJqWm1ZNU1ERmlNekUyTkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJIYXNpbmkgRGlsYW5rYSBXaXRoYXJhbmEiLCJ6b25laW5mbyI6IjIwMTciLCJiaXJ0aGRhdGUiOiIxOTk0LTA4LTA2IiwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4xNDA6OTQ0M1wvb2F1dGgyXC90b2tlbiIsInByZWZlcnJlZF91c2VybmFtZSI6Ikhhc2luaSIsImxvY2FsZSI6ImVuIiwidXBkYXRlZF9hdCI6IjIwMTciLCJhenAiOiI4Q0lNRHRpZE9VQ3hWZ3hoUW9IU1VPRXpPVjRhIiwiYXV0aF90aW1lIjoxNTAyMjk0MzY3LCJuaWNrbmFtZSI6Imhhc2kiLCJleHAiOjE1MDIyOTc5NjksImlhdCI6MTUwMjI5NDM2OSwiZW1haWwiOiJhZG1pbkB3c28yLmNvbSIsIndlYnNpdGUiOiJPSURDIiwiZW1haWxfdmVyaWZpZWQiOiJmYWxzZSIsImFkZHJlc3MiOiJ7XCJzdHJlZXRfYWRkcmVzc1wiOlwiMTE2XC82LFRlbXBsZSBSb2FkLE1haGFyYWdhbWFcIixcImZvcm1hdHRlZFwiOlwiQ29sb21ibyxTcmkgTGFua2FcIn0iLCJwcm9maWxlIjoiaHR0cHM6XC9cL21lZGl1bS5jb21cL0BoYXNpbml3aXRoYXJhbmFcL29wZW5pZC1jb25uZWN0LTUzMjQ2NTMwODA5MCIsInBob25lX251bWJlcl92ZXJpZmllZCI6ImZhbHNlIiwibWlkZGxlX25hbWUiOiJEaWxhbmthIiwiZ2l2ZW5fbmFtZSI6Ikhhc2luaSIsIm5vbmNlIjoieDRlbGcxUFVydXFlbjNjdSIsInBpY3R1cmUiOiJodHRwczpcL1wvbWVkaXVtLmNvbVwvQGhhc2luaXdpdGhhcmFuYVwvb3BlbmlkLWNvbm5lY3QtNTMyNDY1MzA4MDkwIiwiYXVkIjpbIjhDSU1EdGlkT1VDeFZneGhRb0hTVU9Fek9WNGEiXSwibmFtZSI6Ikhhc2luaSBEaWxhbmthIFdpdGhhcmFuYSIsInBob25lX251bWJlciI6IjA3MTM4NTAxNDMiLCJmYW1pbHlfbmFtZSI6IldpdGhhcmFuYSJ9.BcSlgWi0G5DCf7US-MnloiqvrjAv90Y0fh2LuhVIya8xVBTrFu0uL-hObccILRsg-yyVHOodJwf1EHXEl9xL8oH6dYArnmAuKx8_uZW0W-yG6LBD3R8HEOEU97YJb6sdbkDJd6g6hYwZnONtvWDa-RNdPAVDPav3EXH0TaRR3Iccj2WPeR6de_tY8PaggRZlthl-h_zxVKjIKG26dsp7jSjKu2GM45FFEqbgJMXmm4kout-sX3LuddmwBZvWoNTNDM7PTvQ1nlMXu5v-riCxwI1d0Ww6kSHs3JNIP1bxGYSkIsyUYCtxJKBXN1iZzjNx58lPAWhtr7B8Isunzni_Nw&state=pjlGhUtVtJkh8qau&session_state=fd3b1c7c4531ab9dccdf128b7e9663cf51c7e0d0e2ae26c4d27f0a07505328b8.0ZH0PFNXCIOzb4B7seiw1Q
2017-08-09 11:59:29,870 oic.oauth2:DEBUG Initial response parsing => "{'state': 'pjlGhUtVtJkh8qau', 'id_token': 'eyJ4NXQiOiJNalEwTXpNNU5qbGhOVEJtWmpsaU5EWmpNRFEyTlRRM01EUXhaVEJqWm1ZNU1ERmlNekUyTkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJIYXNpbmkgRGlsYW5rYSBXaXRoYXJhbmEiLCJ6b25laW5mbyI6IjIwMTciLCJiaXJ0aGRhdGUiOiIxOTk0LTA4LTA2IiwiaXNzIjoiaHR0cHM6XC9cLzIwMy45NC45NS4xNDA6OTQ0M1wvb2F1dGgyXC90b2tlbiIsInByZWZlcnJlZF91c2VybmFtZSI6Ikhhc2luaSIsImxvY2FsZSI6ImVuIiwidXBkYXRlZF9hdCI6IjIwMTciLCJhenAiOiI4Q0lNRHRpZE9VQ3hWZ3hoUW9IU1VPRXpPVjRhIiwiYXV0aF90aW1lIjoxNTAyMjk0MzY3LCJuaWNrbmFtZSI6Imhhc2kiLCJleHAiOjE1MDIyOTc5NjksImlhdCI6MTUwMjI5NDM2OSwiZW1haWwiOiJhZG1pbkB3c28yLmNvbSIsIndlYnNpdGUiOiJPSURDIiwiZW1haWxfdmVyaWZpZWQiOiJmYWxzZSIsImFkZHJlc3MiOiJ7XCJzdHJlZXRfYWRkcmVzc1wiOlwiMTE2XC82LFRlbXBsZSBSb2FkLE1haGFyYWdhbWFcIixcImZvcm1hdHRlZFwiOlwiQ29sb21ibyxTcmkgTGFua2FcIn0iLCJwcm9maWxlIjoiaHR0cHM6XC9cL21lZGl1bS5jb21cL0BoYXNpbml3aXRoYXJhbmFcL29wZW5pZC1jb25uZWN0LTUzMjQ2NTMwODA5MCIsInBob25lX251bWJlcl92ZXJpZmllZCI6ImZhbHNlIiwibWlkZGxlX25hbWUiOiJEaWxhbmthIiwiZ2l2ZW5fbmFtZSI6Ikhhc2luaSIsIm5vbmNlIjoieDRlbGcxUFVydXFlbjNjdSIsInBpY3R1cmUiOiJodHRwczpcL1wvbWVkaXVtLmNvbVwvQGhhc2luaXdpdGhhcmFuYVwvb3BlbmlkLWNvbm5lY3QtNTMyNDY1MzA4MDkwIiwiYXVkIjpbIjhDSU1EdGlkT1VDeFZneGhRb0hTVU9Fek9WNGEiXSwibmFtZSI6Ikhhc2luaSBEaWxhbmthIFdpdGhhcmFuYSIsInBob25lX251bWJlciI6IjA3MTM4NTAxNDMiLCJmYW1pbHlfbmFtZSI6IldpdGhhcmFuYSJ9.BcSlgWi0G5DCf7US-MnloiqvrjAv90Y0fh2LuhVIya8xVBTrFu0uL-hObccILRsg-yyVHOodJwf1EHXEl9xL8oH6dYArnmAuKx8_uZW0W-yG6LBD3R8HEOEU97YJb6sdbkDJd6g6hYwZnONtvWDa-RNdPAVDPav3EXH0TaRR3Iccj2WPeR6de_tY8PaggRZlthl-h_zxVKjIKG26dsp7jSjKu2GM45FFEqbgJMXmm4kout-sX3LuddmwBZvWoNTNDM7PTvQ1nlMXu5v-riCxwI1d0Ww6kSHs3JNIP1bxGYSkIsyUYCtxJKBXN1iZzjNx58lPAWhtr7B8Isunzni_Nw', 'session_state': 'fd3b1c7c4531ab9dccdf128b7e9663cf51c7e0d0e2ae26c4d27f0a07505328b8.0ZH0PFNXCIOzb4B7seiw1Q'}"
2017-08-09 11:59:29,871 oic.oauth2:DEBUG Verify response with {'client_id': '8CIMDtidOUCxVgxhQoHSUOEzOV4a', 'iss': 'https://203.94.95.140:9443/oauth2/token', 'keyjar': <KeyJar(issuers=['', 'https://203.94.95.140:9443/oauth2/token'])>}
2017-08-09 11:59:29,871 oic.oauth2.message:DEBUG Raw JSON: {'profile': 'https://medium.com/@hasiniwitharana/openid-connect-532465308090', 'auth_time': 1502294367, 'updated_at': '2017', 'middle_name': 'Dilanka', 'nonce': 'x4elg1PUruqen3cu', 'address': '{"street_address":"116/6,Temple Road,Maharagama","formatted":"Colombo,Sri Lanka"}', 'iat': 1502294369, 'azp': '8CIMDtidOUCxVgxhQoHSUOEzOV4a', 'name': 'Hasini Dilanka Witharana', 'family_name': 'Witharana', 'birthdate': '1994-08-06', 'picture': 'https://medium.com/@hasiniwitharana/openid-connect-532465308090', 'aud': ['8CIMDtidOUCxVgxhQoHSUOEzOV4a'], 'website': 'OIDC', 'phone_number': '0713850143', 'email_verified': 'false', 'locale': 'en', 'email': '[email protected]', 'nickname': 'hasi', 'zoneinfo': '2017', 'exp': 1502297969, 'phone_number_verified': 'false', 'preferred_username': 'Hasini', 'iss': 'https://203.94.95.140:9443/oauth2/token', 'given_name': 'Hasini', 'sub': 'Hasini Dilanka Witharana'}
2017-08-09 11:59:29,871 oic.oauth2.message:DEBUG JWS header: {'alg': 'RS256', 'kid': 'd0ec514a32b6f88c0abd12a2840699bdd3deba9d', 'x5t': 'MjQ0MzM5NjlhNTBmZjliNDZjMDQ2NTQ3MDQxZTBjZmY5MDFiMzE2NA'}
2017-08-09 11:59:29,871 root:DEBUG KeyBundle fetch keys from: https://203.94.95.140:9443/oauth2/jwks
2017-08-09 11:59:29,873 requests.packages.urllib3.connectionpool:INFO Starting new HTTPS connection (1): 203.94.95.140
2017-08-09 11:59:30,876 requests.packages.urllib3.connectionpool:DEBUG "GET /oauth2/jwks HTTP/1.1" 200 460
2017-08-09 11:59:30,877 oic.utils.keyio:DEBUG Loaded JWKS: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d","alg":"RS256","n":"ALvJXywkFdoW4s_DhgPG2iiNRNXIBP0Cynn2uDndhtinsbWgMEhEq-SAmpFV_MOrVOfiISmEECrfVN_1NGnvbV39OIOolodHUZZbK_ZjoI0mcUCtPf8oFLBR_LMi-Wg94XkVGMyVmfyjrHeewV7iNkGZ7hIzdINPuYzb57MH8A_7TNNbaLWiaSN8TftiWbGgUQnNBucgP6XVvNwGuCBN9BC-e8JCu7vGA5d1E3Jovhzu-F0JitVRKkpwPv5haNzNenEZZtj02dmdROYHeI_ubFdT-b-t7qshZ4hFNMz136KwW9OqYEgaCEUAYp7Ukg8hJsrlc1tKXNnmAuQ4X4JN9-0"}]} from https://203.94.95.140:9443/oauth2/jwks
2017-08-09 11:59:30,877 oic.utils.keyio:DEBUG Loaded JWKS: {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d","alg":"RS256","n":"ALvJXywkFdoW4s_DhgPG2iiNRNXIBP0Cynn2uDndhtinsbWgMEhEq-SAmpFV_MOrVOfiISmEECrfVN_1NGnvbV39OIOolodHUZZbK_ZjoI0mcUCtPf8oFLBR_LMi-Wg94XkVGMyVmfyjrHeewV7iNkGZ7hIzdINPuYzb57MH8A_7TNNbaLWiaSN8TftiWbGgUQnNBucgP6XVvNwGuCBN9BC-e8JCu7vGA5d1E3Jovhzu-F0JitVRKkpwPv5haNzNenEZZtj02dmdROYHeI_ubFdT-b-t7qshZ4hFNMz136KwW9OqYEgaCEUAYp7Ukg8hJsrlc1tKXNnmAuQ4X4JN9-0"}]} from https://203.94.95.140:9443/oauth2/jwks
2017-08-09 11:59:30,878 oic.oauth2.message:DEBUG Key set summary for https://203.94.95.140:9443/oauth2/token: RSA:sig:d0ec514a32b6f88c0abd12a2840699bdd3deba9d
2017-08-09 11:59:30,878 oic.utils.keyio:DEBUG Issuer '8CIMDtidOUCxVgxhQoHSUOEzOV4a' not found, available key issuers: ['', 'https://203.94.95.140:9443/oauth2/token']
2017-08-09 11:59:30,878 oic.oauth2.message:DEBUG Key set summary for 8CIMDtidOUCxVgxhQoHSUOEzOV4a: 
2017-08-09 11:59:30,878 oic.oauth2.message:DEBUG Found signing key.
2017-08-09 11:59:30,878 jwkest.jws:DEBUG Picking key by key type=RSA
2017-08-09 11:59:30,879 jwkest.jws:DEBUG Picking key based on alg=RS256, kid=d0ec514a32b6f88c0abd12a2840699bdd3deba9d and use=
2017-08-09 11:59:30,879 jwkest.jws:DEBUG Picked: kid:G91Zi19W7Lwa0rGu570gwP_rWfJTBUaWsghWEVEvdVs, use:sig, kty:RSA
2017-08-09 11:59:30,879 jwkest.jws:DEBUG Picked: kid:d0ec514a32b6f88c0abd12a2840699bdd3deba9d, use:sig, kty:RSA
2017-08-09 11:59:30,880 jwkest.jws:DEBUG Verified message using key with kid=d0ec514a32b6f88c0abd12a2840699bdd3deba9d
2017-08-09 11:59:30,881 otest.aus.request:INFO Parsed response: {'state': 'pjlGhUtVtJkh8qau', 'id_token': {'profile': 'https://medium.com/@hasiniwitharana/openid-connect-532465308090', 'auth_time': 1502294367, 'given_name': 'Hasini', 'updated_at': '2017', 'middle_name': 'Dilanka', 'nonce': 'x4elg1PUruqen3cu', 'family_name': 'Witharana', 'iat': 1502294369, 'azp': '8CIMDtidOUCxVgxhQoHSUOEzOV4a', 'name': 'Hasini Dilanka Witharana', 'preferred_username': 'Hasini', 'email': '[email protected]', 'email_verified': 'false', 'picture': 'https://medium.com/@hasiniwitharana/openid-connect-532465308090', 'aud': ['8CIMDtidOUCxVgxhQoHSUOEzOV4a'], 'website': 'OIDC', 'phone_number': '0713850143', 'nickname': 'hasi', 'locale': 'en', 'birthdate': '1994-08-06', 'zoneinfo': '2017', 'address': {'street_address': '116/6,Temple Road,Maharagama', 'formatted': 'Colombo,Sri Lanka'}, 'phone_number_verified': 'false', 'iss': 'https://203.94.95.140:9443/oauth2/token', 'exp': 1502297969, 'sub': 'Hasini Dilanka Witharana'}, 'session_state': 'fd3b1c7c4531ab9dccdf128b7e9663cf51c7e0d0e2ae26c4d27f0a07505328b8.0ZH0PFNXCIOzb4B7seiw1Q'}
2017-08-09 11:59:30,881 otest.aus.tool:INFO <=<=<=<=< OP-scope-All >=>=>=>=>
2017-08-09 11:59:30,881 otest.aus.tool:INFO <--<-- 4 --- AccessToken -->-->
2017-08-09 11:59:30,881 otest.aus.tool:INFO <--<-- 5 --- UserInfo -->-->
2017-08-09 11:59:30,881 otest.aus.tool:INFO <--<-- 6 --- Done -->-->
2017-08-09 11:59:30,882 otest.verify:DEBUG do_check(verify-scopes, {})
2017-08-09 11:59:30,882 otest.verify:DEBUG do_check(check-http-response, {})
2017-08-09 11:59:30,883 otest.verify:ERROR [do_check] ExcList: Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/verify.py", line 70, in do_check
    stat = chk(self.conv)
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/check.py", line 121, in __call__
    _stat = self._func(conv)
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/aus/check.py", line 76, in _func
    _response = conv.events.get_data(EV_HTTP_RESPONSE)[-1]
IndexError: list index out of range

2017-08-09 11:59:30,883 otest.verify:ERROR [do_check] Exception: list index out of range
2017-08-09 11:59:30,884 otest.handling:ERROR [authz_cb] ExcList: Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/oidctest-0.7.0-py3.5.egg/oidctest/optt/__init__.py", line 195, in authz_post
    response=kwargs)
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/aus/tool.py", line 230, in async_response
    return self.run_flow(self.sh["testid"], index=index)
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/aus/tool.py", line 112, in run_flow
    _ver.test_sequence(self.conv.flow["assert"])
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/verify.py", line 96, in test_sequence
    self.do_check(test)
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/verify.py", line 70, in do_check
    stat = chk(self.conv)
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/check.py", line 121, in __call__
    _stat = self._func(conv)
  File "/usr/local/lib/python3.5/dist-packages/otest-0.7.1-py3.5.egg/otest/aus/check.py", line 76, in _func
    _response = conv.events.get_data(EV_HTTP_RESPONSE)[-1]
IndexError: list index out of range

2017-08-09 11:59:30,884 otest.handling:ERROR [authz_cb] Exception: list index out of range

static registration for RP testing

Currently it is not possible, or at least not documented, how to do static registration for RP testing i.e. how one can certify an RP that does not support Dynamic Client Registration. We should most probably fix that before going into production (as Dynreg is optional).

rp-id_token-kid-absent-single-jwks result

https://rp.certification.openid.net:8080/damienbod.id_token_token/rp-id_token-kid-absent-single-jwks/registration

https://rp.certification.openid.net:8080/log/damienbod.id_token_token/rp-id_token-kid-absent-single-jwks.txt

I reject this because I have 4 items with kid ids in the https://rp.certification.openid.net:8080/static/jwks_5hZ6PW0uKOqzGcMK.json

Test states:
Accepts ID Token without 'kid' claim in JOSE header if only one JWK supplied in 'jwks_uri'

Have I misunderstood something here, or is the test incorrect?

Greetings Damien

More flexibility for the OP-Req-login_hint test

The test requires the profile configuration parameter "login_hint". It then creates the string
$login_hint + "@" + $issuer
and sends that as the value of the auth request parameter login_hint.

First, that's a bit confusing, but second -and more important- it's too rigid: for instance my Auth-Endpoint does not expect that @$issuer notation and thus doesn't recognize the user.

My enhancement request is to pass the profile configuration parameter "as is" in the auth request login_hint. That allows for all possible options.

OP log files: no extension, tar archive contains full path

When downloading the tar archive with log files, two things seem to be off:

the files contain the full path instead of the relative path
the files have no extension (like .txt for the RP log files)

tar ztvf s_zmartzone.eu.id_token_token.IT.F.T.F.tar.gz 
-rw-r--r--  0 root   root     3154 Jun 13 10:42 usr/local/oidf/oidc_op/log/s_zmartzone.eu/id_token_token/IT.F.T.F/OP-Response-Missing