rohe / oidctest Goto Github PK

I am able to setup the OIDC test tool using the latest image from github successfully.

Now, when i execute response=id_token testcases,am seeing the below exception
(OP-Response-id_token) - Request with response_type=id_token

The following takes place,

• Redirection from tool to OP login page is seen, as expected
• After successful login, consent page is see - as expected
• Now, during generation of id_token and redirection the below exception is seen

Exception see

2019-03-05 07:08:38,175 oidctest.optt:INFO ent:10.240.229.247, vpath: ['OP-Response-id_token']
2019-03-05 07:08:38,177 oic.utils.keyio:DEBUG loading keys for issuer: http://slc12ldo.us.oracle.com:7777/oauth2
2019-03-05 07:08:38,177 oic.utils.keyio:DEBUG pcr: {'issuer': 'http://slc12ldo.us.oracle.com:7777/oauth2', 'authorization_endpoint': 'http://slc12ldo.us.oracle.com:7777/oauth2/rest/authorize', 'jwks_uri': 'http://slc12ldo.us.oracle.com:7777/oauth2/rest/security', 'response_types_supported': ['code', 'token', 'id_token', 'token id_token'], 'subject_types_supported': ['public'], 'id_token_signing_alg_values_supported': ['RS256'], 'claims_supported': ['aud', 'exp', 'iat', 'iss', 'jti', 'sub'], 'end_session_endpoint': 'http://slc12ldo.us.oracle.com:7777/oauth2/rest/userlogout', 'grant_types_supported': ['password', 'client_credentials', 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'authorization_code', 'refresh_token', 'implicit'], 'scopes_supported': ['openid', 'profile', 'email', 'address', 'phone'], 'token_endpoint': 'http://slc12ldo.us.oracle.com:7777/oauth2/rest/token', 'token_endpoint_auth_methods_supported': ['client_secret_basic', 'client_secret_jwt'], 'token_endpoint_auth_signing_alg_values_supported': ['RS256'], 'ui_locales_supported': ['en'], 'userinfo_endpoint': 'http://slc12ldo.us.oracle.com:7777/oauth2/rest/userinfo', 'userinfo_signing_alg_values_supported': ['none']}
2019-03-05 07:08:38,177 oidctest.session:INFO session_setup
2019-03-05 07:08:38,177 otest.aus.tool:INFO <=<=<=<=< OP-Response-id_token >=>=>=>=>
2019-03-05 07:08:38,177 otest.aus.tool:INFO <--<-- 0 --- Webfinger -->-->
2019-03-05 07:08:38,177 otest.aus.tool:INFO <--<-- 1 --- Discovery -->-->
2019-03-05 07:08:38,178 otest.aus.tool:INFO <--<-- 2 --- Registration -->-->
2019-03-05 07:08:38,178 otest.aus.tool:INFO <--<-- 3 --- AsyncAuthn -->-->
2019-03-05 07:08:38,179 cherrypy.access.140629376080416:INFO 10.240.229.247 - - [05/Mar/2019:07:08:38] "GET /OP-Response-id_token HTTP/1.1" 303 504 "https://op-test:60001/" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
2019-03-05 07:08:54,307 cherrypy.access.140629376080416:INFO 10.240.229.247 - - [05/Mar/2019:07:08:54] "GET /authz_cb HTTP/1.1" 200 545 "http://slc12ldo.us.oracle.com:7777/oam/pages/consent.jsp?state=UnlIVVlJcXpUYnJyMnd1SHZhbzdZdz09fmRvYmc4N0hvdG5JNnk2U3NoZzYzZ3lwcHBjYmlYYlpGc3hacHVKOENVWHcrZmxYNTFjZThaSXl2em8yN2ZZSnRuUGxlcTExcWZSLzJWaFBHbGJTajFNcFdVOGVGT3dxNnQ0d0x4TUIwR2Q3cFpCZDlWckRnVE5YNlpaSUpRbWVkL3VrRS9ZbldnSmlNMzdzOGY5eE9KOXdadHBkUk5RZkNNWmg4cFFHNEZnZDVmdld4Z0Rocll4NWl5UHQ5L2tuYw==&scopes=openid&client_id=APKRISHNAOAUTHIDCLIENT10" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
2019-03-05 07:08:54,380 otest.aus.tool:INFO <--<-- 3 --- <class 'oidctest.op.oper.AsyncAuthn'>
2019-03-05 07:08:54,380 otest.aus.request:INFO Response: id_token=eyJraWQiOiJLUklTSE5BSURET01BSU4xMCIsIng1dCI6IjZnZzg3YnFOemRzaW9Qc1E5UWl6ejlTRlJoOCIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiJodHRwOi8vc2xjMTJsZG8udXMub3JhY2xlLmNvbTo3Nzc3L29hdXRoMiIsInN1YiI6IndlYmxvZ2ljIiwiYXVkIjpbIkFQS1JJU0hOQUlERE9NMDAiLCJodHRwOi8vc2xjMTJsZG8udXMub3JhY2xlLmNvbTo3Nzc3L29hdXRoMiJdLCJleHAiOjE1NTE4Njk2OTQsImlhdCI6MTU1MTc2OTczNCwibm9uY2UiOiJ3YXRlcmlzZ29vZCIsImp0aSI6InVBemtjYlppVVRKakdQU18yVEl6bGciLCJhenAiOiJBUEtSSVNITkFJRERPTTAwIiwiYWNyIjoiMiIsInNpZCI6Im5pSHJKUS9ER2VCNUhldXlITnFjaFE9PX5QZ0Q1YVBuUDVaY2ZGeDVmVzJWYXI3clRoM0w5L2dkdlNBTnRQQXdKWTcwWTBLV3BpcmxWYUhzN0pUajlSVk5nZlNFdkNLNkIyNTBReEZlS3FjelVZYWttR0VyaG5RUzFuTjBEeGJOMjBjMElhQ0RKV2Vob1JyUFNPUHNGZkVucyIsImF1dGhfdGltZSI6IjE1NTE3Njk3MzA2NzMiLCJhbXIiOlsicHdkIl19.DnP6Gwsrgio-zUWyjJMF_Dxio8vtCvA_eOH77SYUBt8H40xZjbETCdawV7aMMiQoa6fIiCaL2OZexkW3oy9CTwK1y_4jvzBXpYGcjzUNIflt28lC5JE_r6RFaIQYJmaxxdOWeqSkE2N0-Et0mH3biVnF4pGaR8scMrvp1rnErkg9skSmOJy4DC2F8mdzPgqBjG7mdtWmyvgZNo_65VsEycF8kmNkiRmC5YzNc5yS9pApyevIab0QxN5YS-gx3a7n8Qfhj8Zwha0Ea0Kvgq9IvXKpVXWGsvZRmDACRNBDvGpKfK7GPm2pAjqT9oG-M92RLF_yopO0LXHbtiOwJJDBdw&state=9KDba6k7K6zq91Wq
2019-03-05 07:08:54,381 oic.oauth2:DEBUG Initial response parsing => "{'id_token': 'eyJraWQiOiJLUklTSE5BSURET01BSU4xMCIsIng1dCI6IjZnZzg3YnFOemRzaW9Qc1E5UWl6ejlTRlJoOCIsImFsZyI6IlJTMjU2In0.eyJpc3MiOiJodHRwOi8vc2xjMTJsZG8udXMub3JhY2xlLmNvbTo3Nzc3L29hdXRoMiIsInN1YiI6IndlYmxvZ2ljIiwiYXVkIjpbIkFQS1JJU0hOQUlERE9NMDAiLCJodHRwOi8vc2xjMTJsZG8udXMub3JhY2xlLmNvbTo3Nzc3L29hdXRoMiJdLCJleHAiOjE1NTE4Njk2OTQsImlhdCI6MTU1MTc2OTczNCwibm9uY2UiOiJ3YXRlcmlzZ29vZCIsImp0aSI6InVBemtjYlppVVRKakdQU18yVEl6bGciLCJhenAiOiJBUEtSSVNITkFJRERPTTAwIiwiYWNyIjoiMiIsInNpZCI6Im5pSHJKUS9ER2VCNUhldXlITnFjaFE9PX5QZ0Q1YVBuUDVaY2ZGeDVmVzJWYXI3clRoM0w5L2dkdlNBTnRQQXdKWTcwWTBLV3BpcmxWYUhzN0pUajlSVk5nZlNFdkNLNkIyNTBReEZlS3FjelVZYWttR0VyaG5RUzFuTjBEeGJOMjBjMElhQ0RKV2Vob1JyUFNPUHNGZkVucyIsImF1dGhfdGltZSI6IjE1NTE3Njk3MzA2NzMiLCJhbXIiOlsicHdkIl19.DnP6Gwsrgio-zUWyjJMF_Dxio8vtCvA_eOH77SYUBt8H40xZjbETCdawV7aMMiQoa6fIiCaL2OZexkW3oy9CTwK1y_4jvzBXpYGcjzUNIflt28lC5JE_r6RFaIQYJmaxxdOWeqSkE2N0-Et0mH3biVnF4pGaR8scMrvp1rnErkg9skSmOJy4DC2F8mdzPgqBjG7mdtWmyvgZNo_65VsEycF8kmNkiRmC5YzNc5yS9pApyevIab0QxN5YS-gx3a7n8Qfhj8Zwha0Ea0Kvgq9IvXKpVXWGsvZRmDACRNBDvGpKfK7GPm2pAjqT9oG-M92RLF_yopO0LXHbtiOwJJDBdw', 'state': '9KDba6k7K6zq91Wq'}"
2019-03-05 07:08:54,381 oic.oauth2:DEBUG Verify response with {'keyjar': <KeyJar(issuers=['', 'http://slc12ldo.us.oracle.com:7777/oauth2'])>, 'client_id': 'APKRISHNAIDDOM00', 'iss': 'http://slc12ldo.us.oracle.com:7777/oauth2'}
2019-03-05 07:08:54,381 oic.oauth2.message:DEBUG Raw JSON: {'iss': 'http://slc12ldo.us.oracle.com:7777/oauth2', 'sub': 'weblogic', 'aud': ['APKRISHNAIDDOM00', 'http://slc12ldo.us.oracle.com:7777/oauth2'], 'exp': 1551869694, 'iat': 1551769734, 'nonce': 'waterisgood', 'jti': 'uAzkcbZiUTJjGPS_2TIzlg', 'azp': 'APKRISHNAIDDOM00', 'acr': '2', 'sid': 'niHrJQ/DGeB5HeuyHNqchQ==~PgD5aPnP5ZcfFx5fW2Var7rTh3L9/gdvSANtPAwJY70Y0KWpirlVaHs7JTj9RVNgfSEvCK6B250QxFeKqczUYakmGErhnQS1nN0DxbN20c0IaCDJWehoRrPSOPsFfEns', 'auth_time': '1551769730673', 'amr': ['pwd']}
2019-03-05 07:08:54,382 oic.oauth2.message:DEBUG JWS header: {'kid': 'KRISHNAIDDOMAIN10', 'x5t': '6gg87bqNzdsioPsQ9Qizz9SFRh8', 'alg': 'RS256'}
2019-03-05 07:08:54,382 root:DEBUG KeyBundle fetch keys from: http://slc12ldo.us.oracle.com:7777/oauth2/rest/security
2019-03-05 07:08:54,383 urllib3.connectionpool:DEBUG Starting new HTTP connection (1): www-proxy-hqdc.us.oracle.com:80
2019-03-05 07:08:54,427 urllib3.connectionpool:DEBUG http://www-proxy-hqdc.us.oracle.com:80 "GET http://slc12ldo.us.oracle.com:7777/oauth2/rest/security HTTP/1.1" 502 2798
2019-03-05 07:08:54,428 otest.handling:ERROR [run_sequence] ExcList: Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/otest-0.7.3-py3.6.egg/otest/aus/request.py", line 331, in parse_response
keyjar=_conv.entity.keyjar # , algs=algs
File "/usr/local/lib/python3.6/dist-packages/oic-0.14.0-py3.6.egg/oic/oauth2/init.py", line 562, in parse_response
verf = resp.verify(**kwargs)
File "/usr/local/lib/python3.6/dist-packages/oic-0.14.0-py3.6.egg/oic/oic/message.py", line 347, in verify
idt = IdToken().from_jwt(str(self["id_token"]), **args)
File "/usr/local/lib/python3.6/dist-packages/oic-0.14.0-py3.6.egg/oic/oauth2/message.py", line 670, in from_jwt
_jw, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/oic-0.14.0-py3.6.egg/oic/oauth2/message.py", line 556, in get_verify_keys
_key = keyjar.get_key_by_kid(_kid, _iss)
File "/usr/local/lib/python3.6/dist-packages/oic-0.14.0-py3.6.egg/oic/utils/keyio.py", line 597, in get_key_by_kid
_key = kb.get_key_with_kid(kid)
File "/usr/local/lib/python3.6/dist-packages/oic-0.14.0-py3.6.egg/oic/utils/keyio.py", line 327, in get_key_with_kid
self.update()
File "/usr/local/lib/python3.6/dist-packages/oic-0.14.0-py3.6.egg/oic/utils/keyio.py", line 258, in update
res = self.do_remote()
File "/usr/local/lib/python3.6/dist-packages/oic-0.14.0-py3.6.egg/oic/utils/keyio.py", line 204, in do_remote
REMOTE_FAILED.format(self.source, r.status_code))
File "/usr/local/lib/python3.6/dist-packages/oic-0.14.0-py3.6.egg/oic/utils/keyio.py", line 40, in raise_exception
raise excep(_err, 'application/json')
oic.utils.keyio.UpdateFailed: {"error": "service_error", "error_description": "Remote key update from 'http://slc12ldo.us.oracle.com:7777/oauth2/rest/security' failed, HTTP status 502"}

2019-03-05 07:08:54,429 otest.handling:ERROR [run_sequence] Exception: {"error": "service_error", "error_description": "Remote key update from 'http://slc12ldo.us.oracle.com:7777/oauth2/rest/security' failed, HTTP status 502"}

Was wondering why this test expects a nonce, it seems a nonce is only expected when id_token is sent in the request to prevent replay attacks. For this test, only 'code token' is sent, and we expect a nonce which should be optional.

Is it a requirement to pass this test for hybrid (code token) certification, if so, can I get some guidance on this issue on whether it is an issue with the OP implementation or the OP conformance test tool.

Thanks.

When trying to bring up the test environment using docker-compose, I see the following error:

Step 18/25 : RUN cd oidctest/tests && python3 -m pytest -x && cd -
 ---> Running in 4fd7d9d5c6a9
============================= test session starts ==============================
platform linux -- Python 3.5.2, pytest-2.8.7, py-1.4.31, pluggy-0.3.1
rootdir: /usr/local/src/oidctest, inifile:

==================================== ERRORS ====================================
____________________ ERROR collecting tests/test_02_mode.py ____________________
test_02_mode.py:1: in <module>
    from oidctest.rp.mode import extract_mode
E   ImportError: No module named 'oidctest.rp.mode'
!!!!!!!!!!!!!!!!!!!! Interrupted: stopping after 1 failures !!!!!!!!!!!!!!!!!!!!
=========================== 1 error in 0.97 seconds ============================
ERROR: Service 'rp_test' failed to build: The command '/bin/sh -c cd oidctest/tests && python3 -m pytest -x && cd -' returned a non-zero code: 2

I noticed that oidctest/src/oidctest/rp/mode.py was deleted in a recent commit.

I added that file back and the deployment was then successful.

Hi,

Branch stable-release-1.2.x does not exist as stated in the docs!

Please advise

Hi,

is it possibile to configure the redirect_uris field of the provider in order to let my application correctly redirect after OAuth authentication and prevent the "error_description": "redirect_uri did not match any client's registered redirect_uris", error I'm receiving now?

Regards,
Thanks

When I pull the changes since May 11th, the continuous integration tests from @panva fail on a number of tests:

62 passing (22s)
  2 pending
  5 failing
  1)  OP-IDToken-ES256:
      AssertionError: Expected to be on a result screen
      + expected - actual
      -/authz_post
      +/display
      
      at passed (test/helpers.js:26:10)
  2)  OP-IDToken-HS256:
      AssertionError: Expected to be on a result screen
      + expected - actual
      -/authz_post
      +/display
      
      at passed (test/helpers.js:26:10)
  3)  OP-IDToken-RS256:
      AssertionError: Expected to be on a result screen
      + expected - actual
      -/authz_post
      +/display
      
      at passed (test/helpers.js:26:10)
  4)  OP-claims-sub:
      AssertionError: Expected status to be Green, got Red
      + expected - actual
      -Red
      +Green
      
      at passed (test/helpers.js:33:10)
  5)  OP-redirect_uri-Query-OK:
      AssertionError: Expected status to be Green, got Red
      + expected - actual
      -Red
      +Green
      
      at passed (test/helpers.js:33:10)

Not sure but It looks like for 1-3 that the flow somehow changed and there's no intermediate screen anymore?

For 4 the problem seems to be caused by:
50d3e42

For 5 the log says:

check-query-part: status=ERROR, message=The query component foo=bar not part of the response [Check that a query part send in the Authorization Request is returned in the Authorization response.]

Running docker-compose -f docker/docker-compose.yml up produces this error (full gist here):

Installed /usr/local/lib/python3.6/dist-packages/oidctest-0.9.2-py3.6.egg
Processing dependencies for oidctest==0.9.2
Searching for pyjwkest==1.4.3
Reading https://pypi.python.org/simple/pyjwkest/
No local packages or working download links found for pyjwkest==1.4.3
error: Could not find suitable distribution for Requirement.parse('pyjwkest==1.4.3')
ERROR: Service 'op-test' failed to build: The command '/bin/sh -c cd oidctest && python3 setup.py install && cd -' returned a non-zero code: 1

As of august 2020, pyjwkest v1.4.3 is not released on pypi.

Section 3 of the OIDC dynamic client registration spec says that

The OpenID Provider MAY require an Initial Access Token that is provisioned out-of-band (in a manner that is out of scope for this specification) to restrict registration requests to only authorized Clients or developers.

When configuring an OP entity in the op_test tool, there is no way to provide this initial token. As a result, there is no way for an OP that requires authentication of the registration endpoint to be tested.

Something like the following mockup is needed:

If an initial access token is configured in such a way, then the test tool should send it to the OP in an Authorization header (per RFC 6750) when registering the client.

Running OP-scope-profile fails with the below trace -

Something went wrong! If you know or suspect you know why, then try to
fix it. If you have no idea, then please tell us at [email protected]
and we will help you figure it out.

Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/oic-0.15.1-py3.6.egg/oic/oauth2/message.py", line 389, in _add_value
self._dict[skey] = int(val)
ValueError: invalid literal for int() with base 10: '2019-08-21T19:19:04.000Z'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/otest-0.7.6-py3.6.egg/otest/aus/tool.py", line 95, in run_flow
resp = _oper()
File "/usr/local/lib/python3.6/dist-packages/otest-0.7.6-py3.6.egg/otest/operation.py", line 105, in call
res = self.run(*args, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/oidctest-0.7.5-py3.6.egg/oidctest/op/oper.py", line 356, in run
**args)
File "/usr/local/lib/python3.6/dist-packages/otest-0.7.6-py3.6.egg/otest/operation.py", line 171, in catch_exception_and_error
res = func(**kwargs)
File "/usr/local/lib/python3.6/dist-packages/oidctest-0.7.5-py3.6.egg/oidctest/op/oper.py", line 346, in do_user_info_request
res = self.conv.entity.do_user_info_request(**kwargs)
File "/usr/local/lib/python3.6/dist-packages/oidctest-0.7.5-py3.6.egg/oidctest/op/client.py", line 113, in do_user_info_request
res = _schema().from_json(txt=_txt)
File "/usr/local/lib/python3.6/dist-packages/oic-0.15.1-py3.6.egg/oic/oauth2/message.py", line 469, in from_json
return self.from_dict(json.loads(txt))
File "/usr/local/lib/python3.6/dist-packages/oic-0.15.1-py3.6.egg/oic/oauth2/message.py", line 359, in from_dict
self._add_value(skey, vtyp, key, val, _deser, null_allowed)
File "/usr/local/lib/python3.6/dist-packages/oic-0.15.1-py3.6.egg/oic/oauth2/message.py", line 391, in _add_value
raise ValueError('"{}", wrong type of value for "{}"'.format(val, skey))
ValueError: "2019-08-21T19:19:04.000Z", wrong type of value for "updated_at"

While the op_test tool is for testing OIDC dynamic client registration, some OPs also support the OAuth dynamic client registration protocol. This spec defines some additional inputs that the registering client must send to the OP/AS. It would make the op_test tool more useful if some/all of these were possible to configure. In particular, the software_id defined in that spec is quite useful in a number of use cases. To support the testing of these, the op_test tool should allow for a software_id to be configured:

If this is configured, the test tool should include this in the body of the client registration request as JSON (per RFC 7591 and section 3.1 of the corresponding OIDC spec).

It is expected that jwks_uri for this test only returns one JWK. Actual result is that it returns the standard four like so.

When running UserInfo tests, I found that the authorization request included client credentials in both the header and parameters.

According to the OAuth spec, this is not compliant: https://tools.ietf.org/html/rfc6750#section-2

Clients MUST NOT use more than one method to transmit the token in each request.

There could be more test cases that are affected by this issue.

At the metadata endpoint

id_token_signing_alg_values_supported
REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included.

Mistakenly we had S256 rather than RS256 in there. As this is considered a MUST I had expected the test suite to pick that up. Maybe a check to be added?

Thanks for a great tool!