rohe / fedlab Goto Github PK

Enable SAML SP Testing and re-use as much code as possible.

A separate results page will present results.

In test OpenID Request Object with Required name Claim, the script calls the authorize endpoint with URL:
https://wenou-test.wenoit.org/authorize?nonce=xQ7Yz35EyV2q&request=eyJhbGciOiJIUzI1NiJ9.eyJub25jZSI6ICJ4UTdZejM1RXlWMnEiLCAiaWRfdG9rZW4iOiB7Im1heF9hZ2UiOiA4NjQwMH0sICJzdGF0ZSI6ICJTVEFURTAiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vbG9jYWxob3N0L2NhbGxiYWNrMSIsICJ1c2VyaW5mbyI6IHsiY2xhaW1zIjogeyJuYW1lIjogbnVsbH19LCAiY2xpZW50X2lkIjogIjRmNmUwNTA5YjgxZmQ4MWUyNTAwMDA0NyIsICJzY29wZSI6IFsib3BlbmlkIl0sICJyZXNwb25zZV90eXBlIjogWyJjb2RlIl19.f-4ZGTLARstLpYJWt7rZV10krMDjjuKl2lJ90XNOyt8&state=STATE0&redirect_uri=https%3A%2F%2Flocalhost%2Fcallback1&response_type=code&client_id=4f6e0509b81fd81e25000047&scope=openid

This URL contains a "request" argument that decodes to:

{
  "client_id": "4f6e0509b81fd81e25000047", 
  "id_token": {
    "max_age": 86400
  }, 
  "nonce": "xQ7Yz35EyV2q", 
  "redirect_uri": "https://localhost/callback1", 
  "response_type": [
    "code"
  ], 
  "scope": [
    "openid"
  ], 
  "state": "STATE0", 
  "userinfo": {
    "claims": {
      "name": null
    }
  }
}

I believe that in this OpenID RequestObject the "response_type" and "scope" items should not be lists of strings but just strings.

Both the section "2.3.1.2. Request Parameter Method" of OpenID Connect Standard 1.0 - draft 08 http://openid.net/specs/openid-connect-standard-1_0.html#req_param_method and the section "2.1.2.1. OpenID Request Object" of OpenID Connect Messages 1.0 - draft 08 http://openid.net/specs/openid-connect-messages-1_0.html#auth_req show examples where these items are strings.

Migrate OIC test backend into this repository:

https://github.com/rohe/fedlab

The link for testing OIDC provider seems to be broken. Could you please update README with correct working URL?

Thanks!

This test "Checks that the HTTP response status is outside the 200 or 300 range or that an JSON encoded error message has been received".

But the Oauth 2.0 draft 25 states in section 3.1.1:
If an authorization request is missing the "response_type" parameter, [...], the authorization server MUST return an error response as described in Section 4.1.2.1.

And section 4.1.2.1 says:
[...] if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format:[...]

So the OP should return a response status in the 300 range and this test seems to be wrong.

This test calls the authorize endpoint with response_type=code+id_token.

After user authentication, the OP redirects with a location containing a code and an id_token in fragment:

The test then calls the token endpoint with the returned code.

The OP returns a JSON object containing
{
"access_token": "XXX",
"expires_in": 3600,
"id_token": "YYY",
"refresh_token": "ZZZ",
"scope": "openid",
"token_type": "Bearer"
}

Then the test calls the userinfo endpoit with:
URL: https://wenou-test.wenoit.org/openid-connect/user-info?
BODY: None
HEADERS: {'cookie': 'wenou-test=927480260d2fd07114ece9311eb79272', 'Authorization': 'Bearer None'}

And the OP responds with a 401: www-authenticate: 'Bearer error="invalid_token", error_description="Invalid format for token

In my opinion the OP response is right to respond with a 401 since the test should not have sent a "Bearer None" authorization header. But the test checks "that the HTTP response status is within the 200 or 300 range " and fails...

Needs to work better on smaller screens.

The test "Request with prompt=none" says that it "Verifies that the response received was an Error response ".

The OAuth 2.0 draft 25 http://tools.ietf.org/html/draft-ietf-oauth-v2-25 says in section "4.1.2.1. Error Response":
If the resource owner denies the access request or if the request fails for reasons other than a missing or invalid redirection URI, the authorization server informs the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format:.[...] error (required), state (required) [...]

So my application Wenou responds with a redirect to location https://localhost/callback1?error=login_required&error_description=Client+asked+not+display+any+user+interface%2C+but+user+is+not+authenticated.&state=STATE0

I believe this is the correct behaviour, but your test doesn't handle it.

By the way, this web test tool is fantastic.

In the authorization request, the parameter redirect_uri has been URL encoded two times:

Original Value
https%253A%2F%2Fopenidtest.uninett.no%2Fauthz_cb%253Ffox%253Dbat

1st URL Decode
https%3A//openidtest.uninett.no/authz_cb%3Ffox%3Dbat

2nd URL Decode
https://openidtest.uninett.no/authz_cb?fox=bat

Here is my complete debug output:

0.002612 EXPORT
0.016228 Started key provider
1.018564 ======================================================================
1.018781 <-- FUNCTION: discover
1.018910 <-- ARGS: {'features': {u'key_export': True, u'registration': True, u'session_management': True, u'discovery': True}, 'location': '', 'trace': <oictest.base.Trace object at 0x1fe0b90>, 'issuer': u'https://seed.gluu.org'}
2.251798 {u'https://seed.gluu.org': {'ver': {'rsa': [<M2Crypto.RSA.RSA_pub instance at 0x2063c20>, <M2Crypto.RSA.RSA_pub instance at 0x2063c68>, <M2Crypto.RSA.RSA_pub instance at 0x2063cb0>]}, 'dec': {}, 'enc': {}, 'sig': {}}, '.': {'ver': {'rsa': [<M2Crypto.RSA.RSA_pub instance at 0x2054758>]}, 'dec': {}, 'enc': {}, 'sig': {'rsa': [<M2Crypto.RSA.RSA_pub instance at 0x2054758>]}}}
2.252293 ======================================================================
2.252998 --> URL: https://seed.gluu.org/oxauth/seam/resource/restv1/oxauth/register
2.253008 --> BODY: client_id=&redirect_uris=https%3A%2F%2Fopenidtest.uninett.no%2Fauthz_cb&type=client_associate&jwk_url=http%3A%2F%2Fopenidtest.uninett.no%3A8090%2Fexport%2Fjwk.json&x509_url=http%3A%2F%2Fopenidtest.uninett.no%3A8090%2Fexport%2Fcert.pem
2.253018 --> HEADERS: {'content-type': 'application/x-www-form-urlencoded'}
3.075780 <-- RESPONSE: <Response [200]>
3.093311 <-- CONTENT: {"client_id":"@!1111!0008!E943.3D85","client_secret":"339584c6-103e-48e8-ac04-d132060583cd","expires_at":1349280212}
3.093339 <-- COOKIES: {'JSESSIONID': '773CDAA535EE6940A8C09BD7942A44D4'}
3.096136 [RegistrationResponseCARS]: {'client_secret': u'339584c6-103e-48e8-ac04-d132060583cd', 'expires_at': 1349280212, 'client_id': u'@!1111!0008!E943.3D85'}
3.096236 ======================================================================
3.097052 --> URL: https://seed.gluu.org/oxauth/seam/resource/restv1/oxauth/authorize?nonce=Mn4FCaqydhFQ&state=STATE0&redirect_uri=https%253A%2F%2Fopenidtest.uninett.no%2Fauthz_cb%253Ffox%253Dbat&response_type=code&client_id=%40%211111%210008%21E943.3D85&scope=openid
3.097063 --> BODY: None
3.782785 <-- RESPONSE: <Response [400]>
3.783056 <-- CONTENT: {"error":"invalid_request_redirect_uri","error_description":"The redirect_uri in the Authorization Request does not match any of the Client's pre-registered redirect_uris.","state":"STATE0"}
3.783073 <-- COOKIES: {'JSESSIONID': '6952691AE7755A97D3586A63C4168D73'}

The SAML SP test located here contains a double XML opening tag, ex: on the "FedLab Metadata" tab.

Test: Login no nonce

The error response should be read from the fragment component of the redirection URI. See http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-4.2.2.1