internal/certification/C.F.T.T.s/OP-OAuth-2nd-Revokes.txt
Test tool version: 2.1.3
Issuer: https://oidc-certification.ory.sh:8443/
Profile: []
Test ID: OP-OAuth-2nd-Revokes
Test description: Trying to use authorization code twice should result in revoking previously issued access tokens
Timestamp: 2018-06-23T10:50:43Z
============================================================
Trace output
0.0 phase <--<-- 0 --- Webfinger -->-->
0.0 not expected to do WebFinger
0.0 phase <--<-- 1 --- Discovery -->-->
0.0 provider_config kwargs:{'issuer': 'https://oidc-certification.ory.sh:8443/'}
0.076 http response url:https://oidc-certification.ory.sh:8443/.well-known/openid-configuration status_code:200
0.077 ProviderConfigurationResponse {
"authorization_endpoint": "https://oidc-certification.ory.sh:8443/oauth2/auth",
"claims_parameter_supported": false,
"claims_supported": [
"sub"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"client_credentials",
"refresh_token"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"issuer": "https://oidc-certification.ory.sh:8443/",
"jwks_uri": "https://oidc-certification.ory.sh:8443/.well-known/jwks.json",
"registration_endpoint": "https://oidc-certification.ory.sh:8443/clients",
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_modes_supported": [
"query",
"fragment"
],
"response_types_supported": [
"code",
"code id_token",
"id_token",
"token id_token",
"token",
"token id_token code"
],
"scopes_supported": [
"offline",
"openid"
],
"subject_types_supported": [
"pairwise",
"public"
],
"token_endpoint": "https://oidc-certification.ory.sh:8443/oauth2/token",
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic",
"private_key_jwt",
"none"
],
"userinfo_endpoint": "https://oidc-certification.ory.sh:8443/userinfo",
"userinfo_signing_alg_values_supported": [
"none",
"RS256"
],
"version": "3.0"
}
0.077 phase <--<-- 2 --- Registration -->-->
0.078 register kwargs:{'application_name': 'OIC test tool', 'response_types': ['code'], 'contacts': ['roland@example.com'], 'redirect_uris': ['https://op.certification.openid.net:61353/authz_cb'], 'post_logout_redirect_uris': ['https://op.certification.openid.net:61353/logout'], 'jwks_uri': 'https://op.certification.openid.net:61353/static/jwks_61353.json', 'grant_types': ['authorization_code'], 'application_type': 'web', 'url': 'https://oidc-certification.ory.sh:8443/clients'}
0.078 RegistrationRequest {
"application_type": "web",
"contacts": [
"roland@example.com"
],
"grant_types": [
"authorization_code"
],
"jwks_uri": "https://op.certification.openid.net:61353/static/jwks_61353.json",
"post_logout_redirect_uris": [
"https://op.certification.openid.net:61353/logout"
],
"redirect_uris": [
"https://op.certification.openid.net:61353/authz_cb"
],
"request_uris": [
"https://op.certification.openid.net:61353/requests/e3ecc141f5419bd33d25d760861d32323144d583feaf26eb1b5cbf20147608b9#XBw87oVdSVU8JxPO"
],
"response_types": [
"code"
]
}
0.242 http response url:https://oidc-certification.ory.sh:8443/clients status_code:201
0.243 RegistrationResponse {
"client_id": "ce8e94bb-b051-4d75-91cb-8f8f99bddb18",
"client_secret": "DdcrL1_M5qmy",
"client_secret_expires_at": 0,
"contacts": [
"roland@example.com"
],
"grant_types": [
"authorization_code"
],
"id": "ce8e94bb-b051-4d75-91cb-8f8f99bddb18",
"jwks_uri": "https://op.certification.openid.net:61353/static/jwks_61353.json",
"public": false,
"redirect_uris": [
"https://op.certification.openid.net:61353/authz_cb"
],
"request_uris": [
"https://op.certification.openid.net:61353/requests/e3ecc141f5419bd33d25d760861d32323144d583feaf26eb1b5cbf20147608b9#XBw87oVdSVU8JxPO"
],
"response_types": [
"code"
],
"scope": "openid offline offline_access profile email address phone",
"token_endpoint_auth_method": "client_secret_basic",
"userinfo_signed_response_alg": "none"
}
0.243 phase <--<-- 3 --- Note -->-->
1.568 phase <--<-- 4 --- AsyncAuthn -->-->
1.569 AuthorizationRequest {
"client_id": "ce8e94bb-b051-4d75-91cb-8f8f99bddb18",
"nonce": "dqgkYo3H5I69iFX2",
"redirect_uri": "https://op.certification.openid.net:61353/authz_cb",
"response_type": "code",
"scope": "openid",
"state": "vo0F5zs0z6N5iLSf"
}
1.569 redirect url https://oidc-certification.ory.sh:8443/oauth2/auth?scope=openid&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A61353%2Fauthz_cb&client_id=ce8e94bb-b051-4d75-91cb-8f8f99bddb18&state=vo0F5zs0z6N5iLSf&response_type=code&nonce=dqgkYo3H5I69iFX2
1.569 redirect https://oidc-certification.ory.sh:8443/oauth2/auth?scope=openid&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A61353%2Fauthz_cb&client_id=ce8e94bb-b051-4d75-91cb-8f8f99bddb18&state=vo0F5zs0z6N5iLSf&response_type=code&nonce=dqgkYo3H5I69iFX2
5.951 response Response URL with query part
5.951 response {'state': 'vo0F5zs0z6N5iLSf', 'scope': 'openid', 'code': 'SOfv2rr_HYydZ5epx3H-S2sUb2cDbL-U3AwOML96bO8.fY-Nw_9SU-VefjGtGzaBxYPqnuWez5BkZJ3Y8xH0XX8'}
5.951 response {'state': 'vo0F5zs0z6N5iLSf', 'scope': 'openid', 'code': 'SOfv2rr_HYydZ5epx3H-S2sUb2cDbL-U3AwOML96bO8.fY-Nw_9SU-VefjGtGzaBxYPqnuWez5BkZJ3Y8xH0XX8'}
5.952 AuthorizationResponse {
"code": "SOfv2rr_HYydZ5epx3H-S2sUb2cDbL-U3AwOML96bO8.fY-Nw_9SU-VefjGtGzaBxYPqnuWez5BkZJ3Y8xH0XX8",
"scope": "openid",
"state": "vo0F5zs0z6N5iLSf"
}
5.952 phase <--<-- 5 --- AccessToken -->-->
5.952 --> request op_args: {'state': 'vo0F5zs0z6N5iLSf'}, req_args: {'redirect_uri': 'https://op.certification.openid.net:61353/authz_cb'}
5.952 do_access_token_request kwargs:{'request_args': {'grant_type': 'authorization_code', 'state': 'vo0F5zs0z6N5iLSf', 'code': 'SOfv2rr_HYydZ5epx3H-S2sUb2cDbL-U3AwOML96bO8.fY-Nw_9SU-VefjGtGzaBxYPqnuWez5BkZJ3Y8xH0XX8', 'redirect_uri': 'https://op.certification.openid.net:61353/authz_cb', 'client_id': 'ce8e94bb-b051-4d75-91cb-8f8f99bddb18'}, 'state': 'vo0F5zs0z6N5iLSf'}
5.952 AccessTokenRequest {
"code": "SOfv2rr_HYydZ5epx3H-S2sUb2cDbL-U3AwOML96bO8.fY-Nw_9SU-VefjGtGzaBxYPqnuWez5BkZJ3Y8xH0XX8",
"grant_type": "authorization_code",
"redirect_uri": "https://op.certification.openid.net:61353/authz_cb",
"state": "vo0F5zs0z6N5iLSf"
}
5.952 request_url https://oidc-certification.ory.sh:8443/oauth2/token
5.952 request_http_args {'headers': {'Authorization': 'Basic Y2U4ZTk0YmItYjA1MS00ZDc1LTkxY2ItOGY4Zjk5YmRkYjE4OkRkY3JMMV9NNXFteQ==', 'Content-Type': 'application/x-www-form-urlencoded'}}
5.952 request code=SOfv2rr_HYydZ5epx3H-S2sUb2cDbL-U3AwOML96bO8.fY-Nw_9SU-VefjGtGzaBxYPqnuWez5BkZJ3Y8xH0XX8&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A61353%2Fauthz_cb&grant_type=authorization_code&state=vo0F5zs0z6N5iLSf
6.232 http response url:https://oidc-certification.ory.sh:8443/oauth2/token status_code:200
6.233 response {'id_token': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo0OTA5NjhlOC1jNmU1LTQ0MWUtYjQyZS01MDUzZDZjNjdhZjIiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiY2U4ZTk0YmItYjA1MS00ZDc1LTkxY2ItOGY4Zjk5YmRkYjE4Il0sImF1dGhfdGltZSI6MTUyOTc1MDk3NSwiZXhwIjoxNTI5NzU0NjQyLCJpYXQiOjE1Mjk3NTEwNDMsImlzcyI6Imh0dHBzOi8vb2lkYy1jZXJ0aWZpY2F0aW9uLm9yeS5zaDo4NDQzLyIsImp0aSI6ImZmOGIxYmM4LTk3MDItNDBjZS1iZjQxLTZjMTc3MzgzN2E3ZCIsIm5vbmNlIjoiZHFna1lvM0g1STY5aUZYMiIsInJhdCI6MTUyOTc1MTAzOCwic3ViIjoiZm9vQGJhci5jb20ifQ.bJG06MkuiZQS_XjpyWJP_U8gHU0rHzKscC6dM3UaBtoO7nPchcCa05VAMQRyetTn7VU98lEOT0UXo5rDyxQmVWFpy_4vL-hwdaReVHAiTv0YmsJIP4L0WFE4BhW5q_6YnPWJRX3zls7h6dbCvjxho-oRa5-d1fUM55JqsXn66JE14p7jdY2BmUXEr1ribfMc4HYcHtMYkCV9IHw89nHUneq4nq-IdQyciQVbodkIxGQ5s6jj2YO0udJhgZfwT3yix45YA1YRFmjRGfvpfAD2Pkgvu08mD1NkddVJLphkGejGnpr_hIKvyAHPq2FAjjICLplV5mIjzqi47jsaZxSUNOb5wtnJh50I3sqlkBVY1uHBgVTcbkX0Ss2JLeJsbLpUxV3j5k_SRb2-J5i1iWz8V74A6e8aMEJWc7ewM_nQjzzpRmXFl1sR_GKuGboUXGzJugkzRg6o2K_YfQGG-k7LD108U4WyVA4vTl7-IfxknUL9iOwOoF9S__bigypffx80gtf_PpqHtS6BHKangw7ZFgC3JB-ykhgZ3eVr0zHg_hk-E-LBPw_YlLwSEFquP9GgiM3UFwc53U28j394VgydOmce5dvxJoAego19T7uUtXTcrqGp_oFDAGqfDhfyhREK7fMJ5uiprpFLlSFDyAE5NeAdUw-8ST1XnPdpofJCQj0', 'token_type': 'bearer', 'expires_in': 3599, 'access_token': 'L6jTyeUSvhHNK1xLNf3BNrdQ9ksIj3aKAu4yOhuN8A0.URku-iZj4qSi7X5SpIBeOpF1_ejXxm2OmGeJg82E4d0', 'scope': 'openid'}
6.349 AccessTokenResponse {
"access_token": "L6jTyeUSvhHNK1xLNf3BNrdQ9ksIj3aKAu4yOhuN8A0.URku-iZj4qSi7X5SpIBeOpF1_ejXxm2OmGeJg82E4d0",
"expires_in": 3599,
"id_token": {
"aud": [
"ce8e94bb-b051-4d75-91cb-8f8f99bddb18"
],
"auth_time": 1529750975,
"exp": 1529754642,
"iat": 1529751043,
"iss": "https://oidc-certification.ory.sh:8443/",
"jti": "ff8b1bc8-9702-40ce-bf41-6c1773837a7d",
"nonce": "dqgkYo3H5I69iFX2",
"rat": 1529751038,
"sub": "foo@bar.com"
},
"scope": "openid",
"token_type": "bearer"
}
6.35 phase <--<-- 6 --- AccessToken -->-->
6.35 --> request op_args: {'state': 'vo0F5zs0z6N5iLSf'}, req_args: {'redirect_uri': 'https://op.certification.openid.net:61353/authz_cb'}
6.35 do_access_token_request kwargs:{'request_args': {'grant_type': 'authorization_code', 'state': 'vo0F5zs0z6N5iLSf', 'code': 'SOfv2rr_HYydZ5epx3H-S2sUb2cDbL-U3AwOML96bO8.fY-Nw_9SU-VefjGtGzaBxYPqnuWez5BkZJ3Y8xH0XX8', 'redirect_uri': 'https://op.certification.openid.net:61353/authz_cb', 'client_id': 'ce8e94bb-b051-4d75-91cb-8f8f99bddb18'}, 'state': 'vo0F5zs0z6N5iLSf'}
6.35 AccessTokenRequest {
"code": "SOfv2rr_HYydZ5epx3H-S2sUb2cDbL-U3AwOML96bO8.fY-Nw_9SU-VefjGtGzaBxYPqnuWez5BkZJ3Y8xH0XX8",
"grant_type": "authorization_code",
"redirect_uri": "https://op.certification.openid.net:61353/authz_cb",
"state": "vo0F5zs0z6N5iLSf"
}
6.35 request_url https://oidc-certification.ory.sh:8443/oauth2/token
6.35 request_http_args {'headers': {'Authorization': 'Basic Y2U4ZTk0YmItYjA1MS00ZDc1LTkxY2ItOGY4Zjk5YmRkYjE4OkRkY3JMMV9NNXFteQ==', 'Content-Type': 'application/x-www-form-urlencoded'}}
6.35 request code=SOfv2rr_HYydZ5epx3H-S2sUb2cDbL-U3AwOML96bO8.fY-Nw_9SU-VefjGtGzaBxYPqnuWez5BkZJ3Y8xH0XX8&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A61353%2Fauthz_cb&grant_type=authorization_code&state=vo0F5zs0z6N5iLSf
6.513 http response url:https://oidc-certification.ory.sh:8443/oauth2/token status_code:400 message:{"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client","status_code":400,"error_debug":"The authorization code has already been used.Additionally, an error occurred during processing the refresh token revocation: Not found."}
6.513 response {'error_debug': 'The authorization code has already been used.Additionally, an error occurred during processing the refresh token revocation: Not found.', 'error_description': 'The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client', 'error': 'invalid_grant', 'status_code': 400}
6.513 event Got expected error
6.513 TokenErrorResponse {
"error": "invalid_grant",
"error_debug": "The authorization code has already been used.Additionally, an error occurred during processing the refresh token revocation: Not found.",
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
"status_code": 400
}
6.514 phase <--<-- 7 --- UserInfo -->-->
6.514 do_user_info_request kwargs:{'state': 'vo0F5zs0z6N5iLSf', 'method': 'GET', 'authn_method': 'bearer_header'}
6.514 request {'body': None}
6.514 request_url https://oidc-certification.ory.sh:8443/userinfo
6.514 request_http_args {'headers': {'Authorization': 'Bearer L6jTyeUSvhHNK1xLNf3BNrdQ9ksIj3aKAu4yOhuN8A0.URku-iZj4qSi7X5SpIBeOpF1_ejXxm2OmGeJg82E4d0'}}
6.622 http response url:https://oidc-certification.ory.sh:8443/userinfo status_code:401 message:{"error":"request_unauthorized","error_description":"The request could not be authorized","error_hint":"Check that you provided valid credentials in the right format.","status_code":401,"error_debug":"A validator returned an error"}
6.623 event Expected error not received: got request_unauthorized
6.623 ErrorResponse {
"error": "request_unauthorized",
"error_debug": "A validator returned an error",
"error_description": "The request could not be authorized",
"error_hint": "Check that you provided valid credentials in the right format.",
"status_code": 401
}
6.623 ErrorResponse {
"error": "request_unauthorized",
"error_debug": "A validator returned an error",
"error_description": "The request could not be authorized",
"error_hint": "Check that you provided valid credentials in the right format.",
"status_code": 401
}
6.623 phase <--<-- 8 --- Done -->-->
6.623 end
6.624 assertion VerifyResponse
6.624 condition verify-response: status=OK [Checks that the last response was one of a possible set of OpenID Connect Responses]
6.624 condition Done: status=OK
============================================================
Conditions
verify-response: status=OK [Checks that the last response was one of a possible set of OpenID Connect Responses]
Done: status=OK
============================================================
RESULT: PASSED