Test Name | fapi1-advanced-final-ensure-mtls-holder-of-key-required |
---|---|
Variant | client_auth_type=mtls, fapi_auth_request_method=by_value, fapi_profile=openbanking_brazil, fapi_response_mode=plain_response |
Test ID | ImZmsuxLyabRTTV https://www.certification.openid.net/log-detail.html?public=true&log=ImZmsuxLyabRTTV |
Created | 2021-07-08T15:21:39.131029Z |
Description | Sicredi Advanced Final Authorization Server |
Test Version | 4.1.18 |
Test Owner | 100942908224989670149 https://accounts.google.com |
Plan ID | LaXW3t3DyFl9z https://www.certification.openid.net/plan-detail.html?public=true&plan=LaXW3t3DyFl9z |
Exported From | https://www.certification.openid.net |
Exported By | 100942908224989670149 https://accounts.google.com |
Suite Version | 4.1.18 |
Exported | 2021-07-08 15:28:46 (UTC) |
Status: FINISHED Result: WARNING |
SUCCESS 94 FAILURE 0 WARNING 1 REVIEW 0 INFO 1 |
2021-07-08 15:21:39 |
INFO
|
TEST-RUNNER
Test instance ImZmsuxLyabRTTV created
|
||||||||||||||
|
2021-07-08 15:21:39 |
SUCCESS
|
CreateRedirectUri
Created redirect URI
|
||
|
2021-07-08 15:21:39 |
|
GetDynamicServerConfiguration
HTTP request
|
||||||||
|
2021-07-08 15:21:40 |
RESPONSE
|
GetDynamicServerConfiguration
HTTP response
|
||||||||
|
2021-07-08 15:21:40 |
|
GetDynamicServerConfiguration
Downloaded server configuration
|
||
|
2021-07-08 15:21:40 |
SUCCESS
|
GetDynamicServerConfiguration
Successfully parsed server configuration
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
2021-07-08 15:21:40 | SUCCESS |
AddMTLSEndpointAliasesToEnvironment
Added mtls_endpoint_aliases to environment
|
||
|
2021-07-08 15:21:40 |
SUCCESS
|
CheckServerConfiguration
Found required server configuration keys
|
||
|
2021-07-08 15:21:40 |
|
FetchServerKeys
Fetching server key
|
||
|
2021-07-08 15:21:40 |
|
FetchServerKeys
HTTP request
|
||||||||
|
2021-07-08 15:21:40 |
RESPONSE
|
FetchServerKeys
HTTP response
|
||||||||
|
2021-07-08 15:21:40 |
|
FetchServerKeys
Found JWK set string
|
||
|
2021-07-08 15:21:40 |
SUCCESS
|
FetchServerKeys
Found server JWK set
|
||
|
2021-07-08 15:21:40 |
SUCCESS
|
CheckServerKeysIsValid
Server JWKs is valid
|
||
|
2021-07-08 15:21:40 | SUCCESS |
ValidateServerJWKs
Valid server JWKs: keys are valid JSON, contain the required fields and are correctly encoded using unpadded base64url
|
|
2021-07-08 15:21:40 | SUCCESS |
CheckForKeyIdInServerJWKs
All keys contain kids
|
|
2021-07-08 15:21:40 | SUCCESS |
EnsureServerJwksDoesNotContainPrivateOrSymmetricKeys
Jwks does not contain any private or symmetric keys
|
|
2021-07-08 15:21:40 | SUCCESS |
FAPIEnsureMinimumServerKeyLength
Validated minimum key lengths for server_jwks
|
||
|
2021-07-08 15:21:40 |
SUCCESS
|
GetStaticClientConfiguration
Found a static client object
|
||||||
|
2021-07-08 15:21:40 |
SUCCESS
|
ValidateMTLSCertificatesHeader
MTLS certificates header is valid
|
|
2021-07-08 15:21:40 |
SUCCESS
|
ExtractMTLSCertificatesFromConfiguration
Mutual TLS authentication credentials loaded
|
||||||
|
2021-07-08 15:21:40 | SUCCESS |
ValidateClientJWKsPrivatePart
Valid client JWKs: keys are valid JSON, contain the required fields, the private/public exponents match and are correctly encoded using unpadded base64url
|
|
2021-07-08 15:21:40 |
SUCCESS
|
ExtractJWKsFromStaticClientConfiguration
Extracted client JWK
|
||||
|
2021-07-08 15:21:40 | SUCCESS |
CheckForKeyIdInClientJWKs
All keys contain kids
|
|
2021-07-08 15:21:40 | SUCCESS |
CheckDistinctKeyIdValueInClientJWKs
Distinct 'kid' value in all keys of client_jwks
|
||
|
2021-07-08 15:21:40 | SUCCESS |
FAPIBrazilCheckKeyAlgInClientJWKs
Keys in client JWKS all have permitted 'alg'
|
||
|
2021-07-08 15:21:40 | SUCCESS |
FAPIEnsureMinimumClientKeyLength
Validated minimum key lengths for client_jwks
|
||
|
2021-07-08 15:21:40 |
SUCCESS
|
ValidateMTLSCertificatesAsX509
Mutual TLS authentication cert validated as X.509
|
|
Verify configuration of second client |
2021-07-08 15:21:40 |
SUCCESS
|
GetStaticClient2Configuration
Found a static second client object
|
||||||
|
2021-07-08 15:21:40 |
SUCCESS
|
ValidateMTLSCertificates2Header
MTLS certificates header is valid
|
|
2021-07-08 15:21:40 |
SUCCESS
|
ExtractMTLSCertificates2FromConfiguration
Mutual TLS authentication credentials loaded
|
||||||
|
2021-07-08 15:21:40 | SUCCESS |
ValidateClientJWKsPrivatePart
Valid client JWKs: keys are valid JSON, contain the required fields, the private/public exponents match and are correctly encoded using unpadded base64url
|
|
2021-07-08 15:21:40 |
SUCCESS
|
ExtractJWKsFromStaticClientConfiguration
Extracted client JWK
|
||||
|
2021-07-08 15:21:40 | SUCCESS |
CheckForKeyIdInClientJWKs
All keys contain kids
|
|
2021-07-08 15:21:40 | SUCCESS |
CheckDistinctKeyIdValueInClientJWKs
Distinct 'kid' value in all keys of client_jwks
|
||
|
2021-07-08 15:21:40 | SUCCESS |
FAPIBrazilCheckKeyAlgInClientJWKs
Keys in client JWKS all have permitted 'alg'
|
||
|
2021-07-08 15:21:40 | SUCCESS |
FAPIEnsureMinimumClientKeyLength
Validated minimum key lengths for client_jwks
|
||
|
2021-07-08 15:21:40 |
SUCCESS
|
ValidateMTLSCertificatesAsX509
Mutual TLS authentication cert validated as X.509
|
|
2021-07-08 15:21:40 |
SUCCESS
|
GetResourceEndpointConfiguration
Found a resource endpoint object
|
||||||
|
2021-07-08 15:21:40 |
SUCCESS
|
SetProtectedResourceUrlToSingleResourceEndpoint
Set protected resource URL
|
||
|
2021-07-08 15:21:40 |
SUCCESS
|
ExtractTLSTestValuesFromResourceConfiguration
Extracted TLS information from resource endpoint
|
||
|
2021-07-08 15:21:40 |
SUCCESS
|
ExtractTLSTestValuesFromOBResourceConfiguration
Extracted TLS information from resource endpoint
|
||||
|
2021-07-08 15:21:40 |
|
fapi1-advanced-final-ensure-mtls-holder-of-key-required
Setup Done
|
|
2021-07-08 15:21:40 |
SUCCESS
|
ExtractTLSTestValuesFromServerConfiguration
Extracted TLS information from authorization server configuration
|
||||||||
|
Authorization endpoint TLS test |
2021-07-08 15:21:40 | SUCCESS |
EnsureTLS12WithFAPICiphers
Server agreed to TLS 1.2
|
||||
|
2021-07-08 15:21:41 | SUCCESS |
DisallowTLS10
Server refused TLS 1.0 handshake
|
||||
|
2021-07-08 15:21:41 | SUCCESS |
DisallowTLS11
Server refused TLS 1.1 handshake
|
||||
|
Token Endpoint TLS test |
2021-07-08 15:21:41 | SUCCESS |
EnsureTLS12WithFAPICiphers
Server agreed to TLS 1.2
|
||||
|
2021-07-08 15:21:42 | SUCCESS |
DisallowTLS10
Server refused TLS 1.0 handshake
|
||||
|
2021-07-08 15:21:42 | SUCCESS |
DisallowTLS11
Server refused TLS 1.1 handshake
|
||||
|
2021-07-08 15:21:42 |
|
DisallowInsecureCipher
Trying to connect with a non-permitted cipher (this is not exhaustive: check the server configuration manually to verify conformance)
|
||||
|
2021-07-08 15:21:42 | SUCCESS |
DisallowInsecureCipher
The TLS handshake was rejected when trying to connect with disallowed ciphers.
|
||||
|
Userinfo Endpoint TLS test |
2021-07-08 15:21:43 | SUCCESS |
EnsureTLS12WithFAPICiphers
Server agreed to TLS 1.2
|
||||
|
2021-07-08 15:21:43 | SUCCESS |
DisallowTLS10
Server refused TLS 1.0 handshake
|
||||
|
2021-07-08 15:21:43 | SUCCESS |
DisallowTLS11
Server refused TLS 1.1 handshake
|
||||
|
2021-07-08 15:21:43 |
|
DisallowInsecureCipher
Trying to connect with a non-permitted cipher (this is not exhaustive: check the server configuration manually to verify conformance)
|
||||
|
2021-07-08 15:21:43 | SUCCESS |
DisallowInsecureCipher
The TLS handshake was rejected when trying to connect with disallowed ciphers.
|
||||
|
Registration Endpoint TLS test |
2021-07-08 15:21:44 | SUCCESS |
EnsureTLS12WithFAPICiphers
Server agreed to TLS 1.2
|
||||
|
2021-07-08 15:21:44 | SUCCESS |
DisallowTLS10
Server refused TLS 1.0 handshake
|
||||
|
2021-07-08 15:21:44 | SUCCESS |
DisallowTLS11
Server refused TLS 1.1 handshake
|
||||
|
2021-07-08 15:21:44 |
|
DisallowInsecureCipher
Trying to connect with a non-permitted cipher (this is not exhaustive: check the server configuration manually to verify conformance)
|
||||
|
2021-07-08 15:21:44 | SUCCESS |
DisallowInsecureCipher
The TLS handshake was rejected when trying to connect with disallowed ciphers.
|
||||
|
Use client_credentials grant to obtain Brazil consent |
2021-07-08 15:21:44 |
SUCCESS
|
CreateTokenEndpointRequestForClientCredentialsGrant
|
||||
|
2021-07-08 15:21:44 |
SUCCESS
|
SetConsentsScopeOnTokenEndpointRequest
Set scope parameter to 'consents'
|
||||
|
2021-07-08 15:21:44 |
SUCCESS
|
AddClientIdToTokenEndpointRequest
|
||||||
|
2021-07-08 15:21:44 |
|
CallTokenEndpoint
HTTP request
|
||||||||||
|
2021-07-08 15:21:45 |
RESPONSE
|
CallTokenEndpoint
HTTP response
|
||||||||
|
2021-07-08 15:21:45 |
|
CallTokenEndpoint
Token endpoint response
|
||
|
2021-07-08 15:21:45 |
SUCCESS
|
CallTokenEndpoint
Parsed token endpoint response
|
||||||||
|
2021-07-08 15:21:45 |
SUCCESS
|
CheckIfTokenEndpointResponseError
No error from token endpoint
|
|
2021-07-08 15:21:45 |
SUCCESS
|
CheckForAccessTokenValue
Found an access token
|
||
|
2021-07-08 15:21:45 |
SUCCESS
|
ExtractAccessTokenFromTokenResponse
Extracted the access token
|
||||
|
2021-07-08 15:21:45 | SUCCESS |
ExtractExpiresInFromTokenEndpointResponse
Extracted 'expires_in'
|
||
|
2021-07-08 15:21:45 | SUCCESS |
ValidateExpiresIn
expires_in passed all validation checks
|
||
|
2021-07-08 15:21:45 |
|
CreateEmptyResourceEndpointRequestHeaders
Created empty headers
|
||
|
2021-07-08 15:21:45 |
SUCCESS
|
AddFAPIAuthDateToResourceEndpointRequest
Added x-fapi-auth-date to resource endpoint request headers
|
||
|
2021-07-08 15:21:45 |
SUCCESS
|
FAPIBrazilCreateConsentRequest
|
||
|
2021-07-08 15:21:45 |
SUCCESS
|
FAPIBrazilAddExpirationToConsentRequest
Added expiration time to consent request
|
||
|
2021-07-08 15:21:45 |
|
CallConsentEndpointWithBearerToken
HTTP request
|
||||||||||
|
2021-07-08 15:21:46 |
RESPONSE
|
CallConsentEndpointWithBearerToken
HTTP response
|
||||||||
|
2021-07-08 15:21:46 |
|
CallConsentEndpointWithBearerToken
Consent endpoint response
|
||
|
2021-07-08 15:21:46 |
SUCCESS
|
CallConsentEndpointWithBearerToken
Parsed consent endpoint response
|
||||
|
2021-07-08 15:21:46 | SUCCESS |
CheckForFAPIInteractionIdInResourceResponse
Found x-fapi-interaction-id
|
||
|
2021-07-08 15:21:46 |
SUCCESS
|
ExtractConsentIdFromConsentEndpointResponse
Extracted the consent id
|
||
|
2021-07-08 15:21:46 |
SUCCESS
|
FAPIBrazilAddConsentIdToClientScope
Added scope of 'openid resources consents consent:urn:sicredi:150a420f-3161-49d2-96ee-ce0870bac4fe' to client's scope
|
||||||
|
Make request to authorization endpoint |
2021-07-08 15:21:46 |
SUCCESS
|
CreateAuthorizationEndpointRequestFromClientInformation
Created authorization endpoint request
|
||||||
|
2021-07-08 15:21:46 |
|
CreateRandomStateValue
Created state value
|
||||
|
2021-07-08 15:21:46 |
SUCCESS
|
AddStateToAuthorizationEndpointRequest
Added state parameter to request
|
||||||||
|
2021-07-08 15:21:46 |
|
CreateRandomNonceValue
Created nonce value
|
||||
|
2021-07-08 15:21:46 |
SUCCESS
|
AddNonceToAuthorizationEndpointRequest
Added nonce parameter to request
|
||||||||||
|
2021-07-08 15:21:46 |
SUCCESS
|
SetAuthorizationEndpointRequestResponseTypeToCodeIdtoken
Added response_type parameter to request
|
||||||||||||
|
2021-07-08 15:21:46 |
SUCCESS
|
ConvertAuthorizationEndpointRequestToRequestObject
Created request object claims
|
||
|
2021-07-08 15:21:46 | SUCCESS |
AddNbfToRequestObject
Added nbf to request object claims
|
||
|
2021-07-08 15:21:46 | SUCCESS |
AddExpToRequestObject
Added exp to request object claims
|
||
|
2021-07-08 15:21:46 | SUCCESS |
AddAudToRequestObject
Added aud to request object claims
|
||
|
2021-07-08 15:21:46 | SUCCESS |
AddIssToRequestObject
Added iss to request object claims
|
||
|
2021-07-08 15:21:46 | SUCCESS |
AddClientIdToRequestObject
Added client_id to request object claims
|
||
|
2021-07-08 15:21:46 |
SUCCESS
|
SignRequestObject
Signed the request object
|
||||||||
|
2021-07-08 15:21:46 |
|
FAPIBrazilEncryptRequestObject
Encrypted the request object
|
||||||
|
2021-07-08 15:21:46 |
SUCCESS
|
BuildRequestObjectByValueRedirectToAuthorizationEndpoint
Sending to authorization endpoint
|
||
|
2021-07-08 15:21:46 |
REDIRECT
|
fapi1-advanced-final-ensure-mtls-holder-of-key-required
Redirecting to authorization endpoint
|
||
|
2021-07-08 15:24:15 |
INCOMING
|
fapi1-advanced-final-ensure-mtls-holder-of-key-required
Incoming HTTP request to test instance ImZmsuxLyabRTTV
|
||||||||||||||
|
2021-07-08 15:24:15 |
SUCCESS
|
CreateRandomImplicitSubmitUrl
Created random implicit submission URL
|
||
|
2021-07-08 15:24:15 |
OUTGOING
|
fapi1-advanced-final-ensure-mtls-holder-of-key-required
Response to HTTP request to test instance ImZmsuxLyabRTTV
|
||||
|
2021-07-08 15:24:15 |
INCOMING
|
fapi1-advanced-final-ensure-mtls-holder-of-key-required
Incoming HTTP request to test instance ImZmsuxLyabRTTV
|
||||||||||||||
|
2021-07-08 15:24:15 |
SUCCESS
|
CreateRandomImplicitSubmitUrl
Created random implicit submission URL
|
||
|
2021-07-08 15:24:15 |
OUTGOING
|
fapi1-advanced-final-ensure-mtls-holder-of-key-required
Response to HTTP request to test instance ImZmsuxLyabRTTV
|
||||
|
2021-07-08 15:24:15 |
INCOMING
|
fapi1-advanced-final-ensure-mtls-holder-of-key-required
Incoming HTTP request to test instance ImZmsuxLyabRTTV
|
||||||||||||||
|
2021-07-08 15:24:15 |
OUTGOING
|
fapi1-advanced-final-ensure-mtls-holder-of-key-required
Response to HTTP request to test instance ImZmsuxLyabRTTV
|
||||||||
|
2021-07-08 15:24:15 |
|
ExtractImplicitHashToCallbackResponse
Extracted response from URL fragment
|
||
|
2021-07-08 15:24:15 |
SUCCESS
|
ExtractImplicitHashToCallbackResponse
Extracted the hash values
|
||||||||||
|
2021-07-08 15:24:15 |
REDIRECT-IN
|
fapi1-advanced-final-ensure-mtls-holder-of-key-required
Authorization endpoint response captured
|
||||||||||
|
Verify authorization endpoint response |
2021-07-08 15:24:15 | SUCCESS |
RejectErrorInUrlQuery
'error' is not present in URL query returned from authorization endpoint
|
|
2021-07-08 15:24:15 | SUCCESS |
RejectAuthCodeInUrlQuery
Authorization code is not present in URL query returned from authorization endpoint
|
|
2021-07-08 15:24:15 |
SUCCESS
|
CheckMatchingCallbackParameters
Callback parameters successfully verified
|
|
2021-07-08 15:24:15 | SUCCESS |
RejectStateInUrlQueryForHybridFlow
state is correctly not present in URL query returned from authorization endpoint (as in the hybrid flow it must be returned in the URL fragment/hash only)
|
|
2021-07-08 15:24:15 |
SUCCESS
|
CheckIfAuthorizationEndpointError
No error from authorization endpoint
|
|
2021-07-08 15:24:15 |
WARNING
|
ValidateSuccessfulHybridResponseFromAuthorizationEndpoint
authorization endpoint response includes unexpected parameters. This may be because the authorization server supports protocol extensions the conformance suite is unaware of, but may also be because the server is implementing the specification incorrectly.
|
||
|
2021-07-08 15:24:15 | SUCCESS |
CheckStateInAuthorizationResponse
State in response correctly returned
|
||
|
2021-07-08 15:24:15 |
|
ValidateIssInAuthorizationResponse
No 'iss' value in authorization response.
|
|
2021-07-08 15:24:15 |
SUCCESS
|
ExtractAuthorizationCodeFromAuthorizationResponse
Found authorization code
|
||
|
2021-07-08 15:24:15 | SUCCESS |
EnsureMinimumAuthorizationCodeLength
Authorization code is of sufficient length
|
||||
|
2021-07-08 15:24:15 | SUCCESS |
EnsureMinimumAuthorizationCodeEntropy
Calculated shannon entropy seems sufficient
|
||||
|
2021-07-08 15:24:15 |
SUCCESS
|
CreateTokenEndpointRequestForAuthorizationCodeGrant
|
||||||
|
2021-07-08 15:24:15 |
SUCCESS
|
AddClientIdToTokenEndpointRequest
|
||||||||
|
2021-07-08 15:24:15 |
SUCCESS
|
RemoveMTLSCertificates
Removed mutual TLS authentication credentials
|
|
2021-07-08 15:24:16 |
|
CallTokenEndpointAllowingTLSFailure
HTTP request
|
||||||||
|
2021-07-08 15:24:16 | SUCCESS |
CallTokenEndpointAllowingTLSFailure
Call to token_endpoint failed due to a TLS issue
|
||||||||||||
|
2021-07-08 15:24:16 |
FINISHED
|
fapi1-advanced-final-ensure-mtls-holder-of-key-required
Test has run to completion
|
||
|
2021-07-08 15:24:39 |
|
TEST-RUNNER
Alias has now been claimed by another test
|
||||
|