internal/certification/CT.F.T.T.s/OP-OAuth-2nd-Revokes.txt
Test tool version: 2.1.3
Issuer: https://oidc-certification.ory.sh:8443/
Profile: []
Test ID: OP-OAuth-2nd-Revokes
Test description: Trying to use authorization code twice should result in revoking previously issued access tokens
Timestamp: 2018-06-23T11:14:00Z
============================================================
Trace output
0.0 phase <--<-- 0 --- Webfinger -->-->
0.0 not expected to do WebFinger
0.0 phase <--<-- 1 --- Discovery -->-->
0.001 provider_config kwargs:{'issuer': 'https://oidc-certification.ory.sh:8443/'}
0.083 http response url:https://oidc-certification.ory.sh:8443/.well-known/openid-configuration status_code:200
0.084 ProviderConfigurationResponse {
"authorization_endpoint": "https://oidc-certification.ory.sh:8443/oauth2/auth",
"claims_parameter_supported": false,
"claims_supported": [
"sub"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"client_credentials",
"refresh_token"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"issuer": "https://oidc-certification.ory.sh:8443/",
"jwks_uri": "https://oidc-certification.ory.sh:8443/.well-known/jwks.json",
"registration_endpoint": "https://oidc-certification.ory.sh:8443/clients",
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_modes_supported": [
"query",
"fragment"
],
"response_types_supported": [
"code",
"code id_token",
"id_token",
"token id_token",
"token",
"token id_token code"
],
"scopes_supported": [
"offline",
"openid"
],
"subject_types_supported": [
"pairwise",
"public"
],
"token_endpoint": "https://oidc-certification.ory.sh:8443/oauth2/token",
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic",
"private_key_jwt",
"none"
],
"userinfo_endpoint": "https://oidc-certification.ory.sh:8443/userinfo",
"userinfo_signing_alg_values_supported": [
"none",
"RS256"
],
"version": "3.0"
}
0.084 phase <--<-- 2 --- Registration -->-->
0.084 register kwargs:{'application_name': 'OIC test tool', 'response_types': ['code token'], 'contacts': ['roland@example.com'], 'redirect_uris': ['https://op.certification.openid.net:61353/authz_cb'], 'post_logout_redirect_uris': ['https://op.certification.openid.net:61353/logout'], 'jwks_uri': 'https://op.certification.openid.net:61353/static/jwks_61353.json', 'grant_types': ['authorization_code', 'implicit'], 'application_type': 'web', 'url': 'https://oidc-certification.ory.sh:8443/clients'}
0.085 RegistrationRequest {
"application_type": "web",
"contacts": [
"roland@example.com"
],
"grant_types": [
"authorization_code",
"implicit"
],
"jwks_uri": "https://op.certification.openid.net:61353/static/jwks_61353.json",
"post_logout_redirect_uris": [
"https://op.certification.openid.net:61353/logout"
],
"redirect_uris": [
"https://op.certification.openid.net:61353/authz_cb"
],
"request_uris": [
"https://op.certification.openid.net:61353/requests/e3ecc141f5419bd33d25d760861d32323144d583feaf26eb1b5cbf20147608b9#TO9u8AB4TvCRTg8S"
],
"response_types": [
"code token"
]
}
0.242 http response url:https://oidc-certification.ory.sh:8443/clients status_code:201
0.243 RegistrationResponse {
"client_id": "0a335476-15b2-4b37-9c97-874e06d02837",
"client_secret": "vkyAwLiSg5Qm",
"client_secret_expires_at": 0,
"contacts": [
"roland@example.com"
],
"grant_types": [
"authorization_code",
"implicit"
],
"id": "0a335476-15b2-4b37-9c97-874e06d02837",
"jwks_uri": "https://op.certification.openid.net:61353/static/jwks_61353.json",
"public": false,
"redirect_uris": [
"https://op.certification.openid.net:61353/authz_cb"
],
"request_uris": [
"https://op.certification.openid.net:61353/requests/e3ecc141f5419bd33d25d760861d32323144d583feaf26eb1b5cbf20147608b9#TO9u8AB4TvCRTg8S"
],
"response_types": [
"code token"
],
"scope": "openid offline offline_access profile email address phone",
"token_endpoint_auth_method": "client_secret_basic",
"userinfo_signed_response_alg": "none"
}
0.243 phase <--<-- 3 --- Note -->-->
1.362 phase <--<-- 4 --- AsyncAuthn -->-->
1.363 AuthorizationRequest {
"client_id": "0a335476-15b2-4b37-9c97-874e06d02837",
"nonce": "xuTCpTR2l1MbpyAp",
"redirect_uri": "https://op.certification.openid.net:61353/authz_cb",
"response_type": "code token",
"scope": "openid",
"state": "qYwZo4ytMEDViTvb"
}
1.363 redirect url https://oidc-certification.ory.sh:8443/oauth2/auth?scope=openid&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A61353%2Fauthz_cb&client_id=0a335476-15b2-4b37-9c97-874e06d02837&state=qYwZo4ytMEDViTvb&response_type=code+token&nonce=xuTCpTR2l1MbpyAp
1.363 redirect https://oidc-certification.ory.sh:8443/oauth2/auth?scope=openid&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A61353%2Fauthz_cb&client_id=0a335476-15b2-4b37-9c97-874e06d02837&state=qYwZo4ytMEDViTvb&response_type=code+token&nonce=xuTCpTR2l1MbpyAp
5.556 http args {}
5.721 response URL with fragment
5.721 response access_token=Ps5IZDxvWzylOq5MLH1hrDItBkY2gJ_YY3JuVCpu2o0.mKNHY6voLebyXgVf3i94CRo4YMk0eEevoYsbNWEEOF0&code=LULXxF4WvDIwGvfDKFIVe1a5IX76JQbXXXfgWwl7_Qo.fqu6AFFkSq1HIVTwHWFdelKcAh1mnOJ3CI0nFQv5L30&expires_in=3599&scope=openid&state=qYwZo4ytMEDViTvb&token_type=bearer
5.722 response {'scope': 'openid', 'code': 'LULXxF4WvDIwGvfDKFIVe1a5IX76JQbXXXfgWwl7_Qo.fqu6AFFkSq1HIVTwHWFdelKcAh1mnOJ3CI0nFQv5L30', 'access_token': 'Ps5IZDxvWzylOq5MLH1hrDItBkY2gJ_YY3JuVCpu2o0.mKNHY6voLebyXgVf3i94CRo4YMk0eEevoYsbNWEEOF0', 'state': 'qYwZo4ytMEDViTvb', 'expires_in': 3599, 'token_type': 'bearer'}
5.722 AuthorizationResponse {
"access_token": "Ps5IZDxvWzylOq5MLH1hrDItBkY2gJ_YY3JuVCpu2o0.mKNHY6voLebyXgVf3i94CRo4YMk0eEevoYsbNWEEOF0",
"code": "LULXxF4WvDIwGvfDKFIVe1a5IX76JQbXXXfgWwl7_Qo.fqu6AFFkSq1HIVTwHWFdelKcAh1mnOJ3CI0nFQv5L30",
"expires_in": 3599,
"scope": "openid",
"state": "qYwZo4ytMEDViTvb",
"token_type": "bearer"
}
5.722 phase <--<-- 5 --- AccessToken -->-->
5.722 --> request op_args: {'state': 'qYwZo4ytMEDViTvb'}, req_args: {'redirect_uri': 'https://op.certification.openid.net:61353/authz_cb'}
5.722 do_access_token_request kwargs:{'request_args': {'grant_type': 'authorization_code', 'state': 'qYwZo4ytMEDViTvb', 'code': 'LULXxF4WvDIwGvfDKFIVe1a5IX76JQbXXXfgWwl7_Qo.fqu6AFFkSq1HIVTwHWFdelKcAh1mnOJ3CI0nFQv5L30', 'redirect_uri': 'https://op.certification.openid.net:61353/authz_cb', 'client_id': '0a335476-15b2-4b37-9c97-874e06d02837'}, 'state': 'qYwZo4ytMEDViTvb'}
5.722 AccessTokenRequest {
"code": "LULXxF4WvDIwGvfDKFIVe1a5IX76JQbXXXfgWwl7_Qo.fqu6AFFkSq1HIVTwHWFdelKcAh1mnOJ3CI0nFQv5L30",
"grant_type": "authorization_code",
"redirect_uri": "https://op.certification.openid.net:61353/authz_cb",
"state": "qYwZo4ytMEDViTvb"
}
5.723 request_url https://oidc-certification.ory.sh:8443/oauth2/token
5.723 request_http_args {'headers': {'Authorization': 'Basic MGEzMzU0NzYtMTViMi00YjM3LTljOTctODc0ZTA2ZDAyODM3OnZreUF3TGlTZzVRbQ==', 'Content-Type': 'application/x-www-form-urlencoded'}}
5.723 request code=LULXxF4WvDIwGvfDKFIVe1a5IX76JQbXXXfgWwl7_Qo.fqu6AFFkSq1HIVTwHWFdelKcAh1mnOJ3CI0nFQv5L30&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A61353%2Fauthz_cb&grant_type=authorization_code&state=qYwZo4ytMEDViTvb
5.946 http response url:https://oidc-certification.ory.sh:8443/oauth2/token status_code:200
5.947 response {'id_token': 'eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo1MTk4ZGI1Yi04NzhjLTQ2MzUtYTUzOC1lNjI3Zjk4ZGU5M2UiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiN19aLXRfV0RsNkkwMmw1THF3amtfUSIsImF1ZCI6WyIwYTMzNTQ3Ni0xNWIyLTRiMzctOWM5Ny04NzRlMDZkMDI4MzciXSwiYXV0aF90aW1lIjoxNTI5NzUyMzcxLCJjX2hhc2giOiJnRHFnMWxuajV2SWFFNV9OaWRLZHhBIiwiZXhwIjoxNTI5NzU2MDM5LCJpYXQiOjE1Mjk3NTI0NDAsImlzcyI6Imh0dHBzOi8vb2lkYy1jZXJ0aWZpY2F0aW9uLm9yeS5zaDo4NDQzLyIsImp0aSI6ImExN2YxODc1LWU3NTEtNDI0NC05ODcyLTY5N2QxNGYzMjc2YyIsIm5vbmNlIjoieHVUQ3BUUjJsMU1icHlBcCIsInJhdCI6MTUyOTc1MjQzNiwic3ViIjoiZm9vQGJhci5jb20ifQ.IeEkSyPgq2zgbfgiSpqdWIfM7Go5TkeDdfXLM5btDPDS0I-cK78fEyCB58cs-oGjFmxKQz0aVvWfvK57PDTYYx8IQILnXhIRqxXsI7gT4BM_0sl70if13FshWiJQIkEaQcrVxca8EWOk7q5pgQmRxC056_Hz4kdvmlrhS7AhIpbq6___4D-A6MldNIKx1Bia12U8pcdCXlQazRYituHDxn1nVhDUhzQ8Gv6O0sIBsSNayVqjIsr-O7m7MiWi_mdB2mKjtXodI7EUzOtmSvjb3otz71N8QQvR6Q8CRvgiULcu3UchJ_83RIjYhPFDAcRV9Gxe7TN93FG6h2H71gZZKZupXkwl2IHCeT-5EBw2VDm-5_v7JukGKZ57jNUhJmKt7mp7pKus1QNw-5KVLF8a1hL72XiR1KM_Tej58-CmUIeor7luUIeT9oWUTxnGgf43NIu_Rdk1qJtGQdhCtXiqunyQx_kdMmfbTlu1D9_aAEPtNH6R9p8_u71fgXWFpq_Fx5T6wnqFeV3JTJA1TO_ij81DkyA9D0EtLVpLMfXvy6KjUAeEwdVvXBr626_TIR413RInrN_ZJxXZngcETgSeNPhG-u2qS2C5n6w0mhJ_STRD2YrmMQcl2-rs4AYb3B9TZEuL7FQ8Bu_xmV0e-19T4toVDi2v3H8noWLdnoLoiNo', 'token_type': 'bearer', 'expires_in': 3599, 'access_token': '5jNbpI04MgkXaCaAUVeqRLTj6GFs_ZyCrJuXNrFlMnU.qDfHOomlBCkWmovNMqsY5Li93ey5t1TNuMFGRWYxfV8', 'scope': 'openid'}
6.034 AccessTokenResponse {
"access_token": "5jNbpI04MgkXaCaAUVeqRLTj6GFs_ZyCrJuXNrFlMnU.qDfHOomlBCkWmovNMqsY5Li93ey5t1TNuMFGRWYxfV8",
"expires_in": 3599,
"id_token": {
"at_hash": "7_Z-t_WDl6I02l5Lqwjk_Q",
"aud": [
"0a335476-15b2-4b37-9c97-874e06d02837"
],
"auth_time": 1529752371,
"c_hash": "gDqg1lnj5vIaE5_NidKdxA",
"exp": 1529756039,
"iat": 1529752440,
"iss": "https://oidc-certification.ory.sh:8443/",
"jti": "a17f1875-e751-4244-9872-697d14f3276c",
"nonce": "xuTCpTR2l1MbpyAp",
"rat": 1529752436,
"sub": "foo@bar.com"
},
"scope": "openid",
"token_type": "bearer"
}
6.034 phase <--<-- 6 --- AccessToken -->-->
6.034 --> request op_args: {'state': 'qYwZo4ytMEDViTvb'}, req_args: {'redirect_uri': 'https://op.certification.openid.net:61353/authz_cb'}
6.034 do_access_token_request kwargs:{'request_args': {'grant_type': 'authorization_code', 'state': 'qYwZo4ytMEDViTvb', 'code': 'LULXxF4WvDIwGvfDKFIVe1a5IX76JQbXXXfgWwl7_Qo.fqu6AFFkSq1HIVTwHWFdelKcAh1mnOJ3CI0nFQv5L30', 'redirect_uri': 'https://op.certification.openid.net:61353/authz_cb', 'client_id': '0a335476-15b2-4b37-9c97-874e06d02837'}, 'state': 'qYwZo4ytMEDViTvb'}
6.035 AccessTokenRequest {
"code": "LULXxF4WvDIwGvfDKFIVe1a5IX76JQbXXXfgWwl7_Qo.fqu6AFFkSq1HIVTwHWFdelKcAh1mnOJ3CI0nFQv5L30",
"grant_type": "authorization_code",
"redirect_uri": "https://op.certification.openid.net:61353/authz_cb",
"state": "qYwZo4ytMEDViTvb"
}
6.035 request_url https://oidc-certification.ory.sh:8443/oauth2/token
6.035 request_http_args {'headers': {'Authorization': 'Basic MGEzMzU0NzYtMTViMi00YjM3LTljOTctODc0ZTA2ZDAyODM3OnZreUF3TGlTZzVRbQ==', 'Content-Type': 'application/x-www-form-urlencoded'}}
6.035 request code=LULXxF4WvDIwGvfDKFIVe1a5IX76JQbXXXfgWwl7_Qo.fqu6AFFkSq1HIVTwHWFdelKcAh1mnOJ3CI0nFQv5L30&redirect_uri=https%3A%2F%2Fop.certification.openid.net%3A61353%2Fauthz_cb&grant_type=authorization_code&state=qYwZo4ytMEDViTvb
6.194 http response url:https://oidc-certification.ory.sh:8443/oauth2/token status_code:400 message:{"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client","status_code":400,"error_debug":"The authorization code has already been used.Additionally, an error occurred during processing the refresh token revocation: Not found."}
6.195 response {'error_debug': 'The authorization code has already been used.Additionally, an error occurred during processing the refresh token revocation: Not found.', 'error_description': 'The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client', 'error': 'invalid_grant', 'status_code': 400}
6.195 event Got expected error
6.195 TokenErrorResponse {
"error": "invalid_grant",
"error_debug": "The authorization code has already been used.Additionally, an error occurred during processing the refresh token revocation: Not found.",
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client",
"status_code": 400
}
6.195 phase <--<-- 7 --- UserInfo -->-->
6.196 do_user_info_request kwargs:{'state': 'qYwZo4ytMEDViTvb', 'method': 'GET', 'authn_method': 'bearer_header'}
6.196 request {'body': None}
6.196 request_url https://oidc-certification.ory.sh:8443/userinfo
6.196 request_http_args {'headers': {'Authorization': 'Bearer 5jNbpI04MgkXaCaAUVeqRLTj6GFs_ZyCrJuXNrFlMnU.qDfHOomlBCkWmovNMqsY5Li93ey5t1TNuMFGRWYxfV8'}}
6.301 http response url:https://oidc-certification.ory.sh:8443/userinfo status_code:401 message:{"error":"request_unauthorized","error_description":"The request could not be authorized","error_hint":"Check that you provided valid credentials in the right format.","status_code":401,"error_debug":"A validator returned an error"}
6.301 event Expected error not received: got request_unauthorized
6.302 ErrorResponse {
"error": "request_unauthorized",
"error_debug": "A validator returned an error",
"error_description": "The request could not be authorized",
"error_hint": "Check that you provided valid credentials in the right format.",
"status_code": 401
}
6.302 ErrorResponse {
"error": "request_unauthorized",
"error_debug": "A validator returned an error",
"error_description": "The request could not be authorized",
"error_hint": "Check that you provided valid credentials in the right format.",
"status_code": 401
}
6.302 phase <--<-- 8 --- Done -->-->
6.302 end
6.302 assertion VerifyResponse
6.303 condition verify-response: status=OK [Checks that the last response was one of a possible set of OpenID Connect Responses]
6.303 condition Done: status=OK
============================================================
Conditions
verify-response: status=OK [Checks that the last response was one of a possible set of OpenID Connect Responses]
Done: status=OK
============================================================
RESULT: PASSED