Test Name | fapi1-advanced-final-ensure-authorization-code-is-bound-to-client |
---|---|
Variant | client_auth_type=mtls, fapi_auth_request_method=by_value, fapi_profile=plain_fapi, fapi_response_mode=jarm |
Test ID | Ujk25ylGo4OvGyx https://www.certification.openid.net/log-detail.html?public=true&log=Ujk25ylGo4OvGyx |
Created | 2022-11-16T07:54:57.770269Z |
Description | NC7000-3A-OC FAPI Final Conformance Test No2 |
Test Version | 5.0.7 |
Test Owner | 104676522646289729413 https://accounts.google.com |
Plan ID | xNdNcYA4T9Voz https://www.certification.openid.net/plan-detail.html?public=true&plan=xNdNcYA4T9Voz |
Exported From | https://www.certification.openid.net |
Exported By | 104676522646289729413 https://accounts.google.com |
Suite Version | 5.0.7 |
Exported | 2022-12-02 04:17:42 (UTC) |
Status: FINISHED Result: WARNING |
SUCCESS 79 FAILURE 0 WARNING 1 REVIEW 0 INFO 1 |
2022-11-16 07:54:57 |
INFO
|
TEST-RUNNER
Test instance Ujk25ylGo4OvGyx created
|
||||||||||||||
|
2022-11-16 07:54:57 |
SUCCESS
|
CreateRedirectUri
Created redirect URI
|
||
|
2022-11-16 07:54:57 |
|
GetDynamicServerConfiguration
HTTP request
|
||||||||
|
2022-11-16 07:54:58 |
RESPONSE
|
GetDynamicServerConfiguration
HTTP response
|
||||||||
|
2022-11-16 07:54:58 |
SUCCESS
|
GetDynamicServerConfiguration
Successfully parsed server configuration
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
2022-11-16 07:54:58 | SUCCESS |
AddMTLSEndpointAliasesToEnvironment
Added mtls_endpoint_aliases to environment
|
|
2022-11-16 07:54:58 |
SUCCESS
|
CheckServerConfiguration
Found required server configuration keys
|
||
|
2022-11-16 07:54:58 |
|
FetchServerKeys
Fetching server key
|
||
|
2022-11-16 07:54:58 |
|
FetchServerKeys
HTTP request
|
||||||||
|
2022-11-16 07:54:59 |
RESPONSE
|
FetchServerKeys
HTTP response
|
||||||||
|
2022-11-16 07:54:59 |
|
FetchServerKeys
Found JWK set string
|
||
|
2022-11-16 07:54:59 |
SUCCESS
|
FetchServerKeys
Found server JWK set
|
||
|
2022-11-16 07:54:59 |
SUCCESS
|
CheckServerKeysIsValid
Server JWKs is valid
|
||
|
2022-11-16 07:54:59 | SUCCESS |
ValidateServerJWKs
Valid server JWKs: keys are valid JSON, contain the required fields and are correctly encoded using unpadded base64url
|
|
2022-11-16 07:54:59 | SUCCESS |
CheckForKeyIdInServerJWKs
All keys contain kids
|
|
2022-11-16 07:54:59 | SUCCESS |
EnsureServerJwksDoesNotContainPrivateOrSymmetricKeys
Jwks does not contain any private or symmetric keys
|
|
2022-11-16 07:54:59 | SUCCESS |
FAPIEnsureMinimumServerKeyLength
Validated minimum key lengths for server_jwks
|
||
|
2022-11-16 07:54:59 |
SUCCESS
|
GetStaticClientConfiguration
Found a static client object
|
||||||||||
|
2022-11-16 07:54:59 |
|
ValidateMTLSCertificatesHeader
No certificate authority found for MTLS
|
|
2022-11-16 07:54:59 |
SUCCESS
|
ValidateMTLSCertificatesHeader
MTLS certificates header is valid
|
|
2022-11-16 07:54:59 |
|
ExtractMTLSCertificatesFromConfiguration
No certificate authority found for MTLS
|
|
2022-11-16 07:54:59 |
SUCCESS
|
ExtractMTLSCertificatesFromConfiguration
Mutual TLS authentication credentials loaded
|
||||
|
2022-11-16 07:54:59 | SUCCESS |
ValidateClientJWKsPrivatePart
Valid client JWKs: keys are valid JSON, contain the required fields, the private/public exponents match and are correctly encoded using unpadded base64url
|
|
2022-11-16 07:54:59 |
SUCCESS
|
ExtractJWKsFromStaticClientConfiguration
Extracted client JWK
|
||||
|
2022-11-16 07:54:59 | SUCCESS |
CheckForKeyIdInClientJWKs
All keys contain kids
|
|
2022-11-16 07:54:59 | SUCCESS |
CheckDistinctKeyIdValueInClientJWKs
Distinct 'kid' value in all keys of client_jwks
|
||
|
2022-11-16 07:54:59 | SUCCESS |
FAPICheckKeyAlgInClientJWKs
Keys in client JWKS all have permitted 'alg'
|
||
|
2022-11-16 07:54:59 | SUCCESS |
FAPIEnsureMinimumClientKeyLength
Validated minimum key lengths for client_jwks
|
||
|
2022-11-16 07:54:59 |
SUCCESS
|
ValidateMTLSCertificatesAsX509
Mutual TLS authentication cert validated as X.509
|
|
Verify configuration of second client |
2022-11-16 07:54:59 |
SUCCESS
|
GetStaticClient2Configuration
Found a static second client object
|
||||||||||
|
2022-11-16 07:54:59 |
|
ValidateMTLSCertificates2Header
No certificate authority found for MTLS
|
|
2022-11-16 07:54:59 |
SUCCESS
|
ValidateMTLSCertificates2Header
MTLS certificates header is valid
|
|
2022-11-16 07:54:59 |
|
ExtractMTLSCertificates2FromConfiguration
No certificate authority found for MTLS
|
|
2022-11-16 07:54:59 |
SUCCESS
|
ExtractMTLSCertificates2FromConfiguration
Mutual TLS authentication credentials loaded
|
||||
|
2022-11-16 07:54:59 | SUCCESS |
ValidateClientJWKsPrivatePart
Valid client JWKs: keys are valid JSON, contain the required fields, the private/public exponents match and are correctly encoded using unpadded base64url
|
|
2022-11-16 07:54:59 |
SUCCESS
|
ExtractJWKsFromStaticClientConfiguration
Extracted client JWK
|
||||
|
2022-11-16 07:54:59 | SUCCESS |
CheckForKeyIdInClientJWKs
All keys contain kids
|
|
2022-11-16 07:54:59 | SUCCESS |
CheckDistinctKeyIdValueInClientJWKs
Distinct 'kid' value in all keys of client_jwks
|
||
|
2022-11-16 07:54:59 | SUCCESS |
FAPICheckKeyAlgInClientJWKs
Keys in client JWKS all have permitted 'alg'
|
||
|
2022-11-16 07:54:59 | SUCCESS |
FAPIEnsureMinimumClientKeyLength
Validated minimum key lengths for client_jwks
|
||
|
2022-11-16 07:54:59 |
SUCCESS
|
ValidateMTLSCertificatesAsX509
Mutual TLS authentication cert validated as X.509
|
|
2022-11-16 07:54:59 |
SUCCESS
|
ValidateClientPrivateKeysAreDifferent
Client signing JWKs have different thumbprints
|
||||
|
2022-11-16 07:54:59 |
SUCCESS
|
GetResourceEndpointConfiguration
Found a resource endpoint object
|
||
|
2022-11-16 07:54:59 |
SUCCESS
|
SetProtectedResourceUrlToSingleResourceEndpoint
Set protected resource URL
|
||
|
2022-11-16 07:54:59 |
SUCCESS
|
ExtractTLSTestValuesFromResourceConfiguration
Extracted TLS information from resource endpoint
|
||
|
2022-11-16 07:54:59 |
SUCCESS
|
ExtractTLSTestValuesFromOBResourceConfiguration
Extracted TLS information from resource endpoint
|
||||
|
2022-11-16 07:54:59 |
|
fapi1-advanced-final-ensure-authorization-code-is-bound-to-client
Setup Done
|
|
Make request to authorization endpoint |
2022-11-16 07:54:59 |
SUCCESS
|
CreateAuthorizationEndpointRequestFromClientInformation
Created authorization endpoint request
|
||||||
|
2022-11-16 07:54:59 |
SUCCESS
|
AddAcrClaimToAuthorizationEndpointRequest
Added acr claim to authorization_endpoint_request
|
||
|
2022-11-16 07:54:59 |
|
CreateRandomStateValue
Created state value
|
||||
|
2022-11-16 07:54:59 |
SUCCESS
|
AddStateToAuthorizationEndpointRequest
Added state parameter to request
|
||||||||||
|
2022-11-16 07:54:59 |
|
CreateRandomNonceValue
Created nonce value
|
||||
|
2022-11-16 07:54:59 |
SUCCESS
|
AddNonceToAuthorizationEndpointRequest
Added nonce parameter to request
|
||||||||||||
|
2022-11-16 07:54:59 |
SUCCESS
|
SetAuthorizationEndpointRequestResponseTypeToCode
Added response_type parameter to request
|
||||||||||||||
|
2022-11-16 07:54:59 |
SUCCESS
|
SetAuthorizationEndpointRequestResponseModeToJWT
Added response_mode parameter to request
|
||||||||||||||||
|
2022-11-16 07:54:59 |
SUCCESS
|
ConvertAuthorizationEndpointRequestToRequestObject
Created request object claims
|
||
|
2022-11-16 07:54:59 | SUCCESS |
AddNbfToRequestObject
Added nbf to request object claims
|
||
|
2022-11-16 07:54:59 | SUCCESS |
AddExpToRequestObject
Added exp to request object claims
|
||
|
2022-11-16 07:54:59 | SUCCESS |
AddAudToRequestObject
Added aud to request object claims
|
||
|
2022-11-16 07:54:59 | SUCCESS |
AddIssToRequestObject
Added iss to request object claims
|
||
|
2022-11-16 07:54:59 | SUCCESS |
AddClientIdToRequestObject
Added client_id to request object claims
|
||
|
2022-11-16 07:54:59 |
SUCCESS
|
SignRequestObject
Signed the request object
|
||||||||
|
2022-11-16 07:54:59 |
SUCCESS
|
BuildRequestObjectByValueRedirectToAuthorizationEndpoint
Sending to authorization endpoint
|
||
|
2022-11-16 07:54:59 |
REDIRECT
|
fapi1-advanced-final-ensure-authorization-code-is-bound-to-client
Redirecting to authorization endpoint
|
||
|
2022-11-16 07:55:07 |
INCOMING
|
fapi1-advanced-final-ensure-authorization-code-is-bound-to-client
Incoming HTTP request to /test/a/NC7000-3A-OC/callback
|
||||||||||||||||||||||
|
2022-11-16 07:55:07 |
SUCCESS
|
CreateRandomImplicitSubmitUrl
Created random implicit submission URL
|
||
|
2022-11-16 07:55:07 |
OUTGOING
|
fapi1-advanced-final-ensure-authorization-code-is-bound-to-client
Response to HTTP request to test instance Ujk25ylGo4OvGyx
|
||||
|
2022-11-16 07:55:08 |
INCOMING
|
fapi1-advanced-final-ensure-authorization-code-is-bound-to-client
Incoming HTTP request to /test/a/NC7000-3A-OC/implicit/FUOYyxHdIiL26mtIeSpT
|
||||||||||||||||||||||
|
2022-11-16 07:55:08 |
OUTGOING
|
fapi1-advanced-final-ensure-authorization-code-is-bound-to-client
Response to HTTP request to test instance Ujk25ylGo4OvGyx
|
||||||||
|
2022-11-16 07:55:08 |
SUCCESS
|
ExtractImplicitHashToCallbackResponse
implicit_hash is empty
|
|
2022-11-16 07:55:08 |
REDIRECT-IN
|
fapi1-advanced-final-ensure-authorization-code-is-bound-to-client
Authorization endpoint response captured
|
||||||||||
|
Verify authorization endpoint response |
2022-11-16 07:55:08 | SUCCESS |
ExtractJARMFromURLQuery
Found and parsed the jarm_response from callback_query_params
|
||||||
|
2022-11-16 07:55:08 | SUCCESS |
RejectNonJarmResponsesInUrlQuery
Authorization endpoint response only includes the JARM JWT.
|
|
2022-11-16 07:55:08 |
SUCCESS
|
ExtractAuthorizationEndpointResponseFromJARMResponse
Extracted the authorization response
|
||||||||
|
2022-11-16 07:55:08 | SUCCESS |
ValidateJARMResponse
JARM response standard JWT claims are valid
|
|
2022-11-16 07:55:08 |
SUCCESS
|
FAPI1ValidateJarmSigningAlg
JARM response was signed with a permitted algorithm
|
||||
|
2022-11-16 07:55:08 | SUCCESS |
ValidateJARMExpRecommendations
JARM response 'exp' is less than 10 minutes
|
||||
|
2022-11-16 07:55:08 | SUCCESS |
ValidateJARMSignatureUsingKid
jarm_response signature validated
|
||
|
2022-11-16 07:55:08 | SUCCESS |
RejectAuthCodeInUrlQuery
Authorization code is not present in URL query returned from authorization endpoint
|
|
2022-11-16 07:55:08 |
SUCCESS
|
CheckMatchingCallbackParameters
Callback parameters successfully verified
|
|
2022-11-16 07:55:08 | SUCCESS |
RejectStateInUrlQueryForHybridFlow
state is correctly not present in URL query returned from authorization endpoint (as in the hybrid flow it must be returned in the URL fragment/hash only)
|
|
2022-11-16 07:55:08 |
SUCCESS
|
CheckIfAuthorizationEndpointError
No error from authorization endpoint
|
|
2022-11-16 07:55:08 |
WARNING
|
ValidateSuccessfulJARMResponseFromAuthorizationEndpoint
authorization endpoint response includes unexpected parameters. This may be because the authorization server supports protocol extensions the conformance suite is unaware of, but may also be because the server is implementing the specification incorrectly.
|
||
|
2022-11-16 07:55:08 | SUCCESS |
CheckStateInAuthorizationResponse
State in response correctly returned
|
||
|
2022-11-16 07:55:08 | SUCCESS |
ValidateIssInAuthorizationResponse
'iss' parameter in authorization response matches server's issuer value.
|
|
2022-11-16 07:55:08 |
SUCCESS
|
ExtractAuthorizationCodeFromAuthorizationResponse
Found authorization code
|
||
|
2022-11-16 07:55:08 | SUCCESS |
EnsureMinimumAuthorizationCodeLength
Authorization code is of sufficient length
|
||||
|
2022-11-16 07:55:08 | SUCCESS |
EnsureMinimumAuthorizationCodeEntropy
Calculated shannon entropy seems sufficient
|
||||||
|
2022-11-16 07:55:08 |
SUCCESS
|
CreateTokenEndpointRequestForAuthorizationCodeGrant
Created token endpoint request
|
||||||
|
2022-11-16 07:55:08 |
|
AddClientIdToTokenEndpointRequest
|
||||||||
|
2022-11-16 07:55:08 |
|
ValidateMTLSCertificates2Header
No certificate authority found for MTLS
|
|
2022-11-16 07:55:08 |
SUCCESS
|
ValidateMTLSCertificates2Header
MTLS certificates header is valid
|
|
2022-11-16 07:55:08 |
|
ExtractMTLSCertificates2FromConfiguration
No certificate authority found for MTLS
|
|
2022-11-16 07:55:08 |
SUCCESS
|
ExtractMTLSCertificates2FromConfiguration
Mutual TLS authentication credentials loaded
|
||||
|
2022-11-16 07:55:08 |
SUCCESS
|
CreateTokenEndpointRequestForAuthorizationCodeGrant
Created token endpoint request
|
||||||
|
2022-11-16 07:55:08 |
|
AddClientIdToTokenEndpointRequest
|
||||||||
|
2022-11-16 07:55:08 |
|
CallTokenEndpointAndReturnFullResponse
HTTP request
|
||||||||||
|
2022-11-16 07:55:09 |
RESPONSE
|
CallTokenEndpointAndReturnFullResponse
HTTP response
|
||||||||
|
2022-11-16 07:55:09 | SUCCESS |
CallTokenEndpointAndReturnFullResponse
Parsed token endpoint response
|
||||||
|
2022-11-16 07:55:09 | SUCCESS |
CheckTokenEndpointHttpStatus400
Token endpoint http status code was 400
|
|
2022-11-16 07:55:09 | SUCCESS |
CheckTokenEndpointReturnedJsonContentType
token_endpoint_response_headers Content-Type: header is application/json
|
|
2022-11-16 07:55:09 | SUCCESS |
CheckErrorFromTokenEndpointResponseErrorInvalidGrant
Token Endpoint response error returned expected 'error' of 'invalid_grant'
|
||
|
2022-11-16 07:55:09 | SUCCESS |
ValidateErrorFromTokenEndpointResponseError
Token endpoint response error returned valid 'error' field
|
||
|
2022-11-16 07:55:09 | SUCCESS |
CheckErrorDescriptionFromTokenEndpointResponseErrorContainsCRLFTAB
token_endpoint_response 'error_description' field does not include CR/LF/TAB
|
||
|
2022-11-16 07:55:09 | SUCCESS |
ValidateErrorDescriptionFromTokenEndpointResponseError
token_endpoint_response error returned valid 'error_description' field
|
||
|
2022-11-16 07:55:09 | SUCCESS |
ValidateErrorUriFromTokenEndpointResponseError
token_endpoint_response returned valid 'error_uri' field
|
||
|
2022-11-16 07:55:09 |
FINISHED
|
fapi1-advanced-final-ensure-authorization-code-is-bound-to-client
Test has run to completion
|
||
|
2022-11-16 07:55:45 |
|
TEST-RUNNER
Alias has now been claimed by another test
|
||||
|