Incorrect registration of sector_identifier_uri ( OP-Registration-Sector-Bad)

[Spomky]

Hi,

I have some troubles with that test. The client registration data I receive looks like as follow:

{
    "application_type": "web",
    "contacts": ["roland@example.com"],
    "grant_types": ["authorization_code", "implicit"],
    "jwks_uri": "https://op.certification.openid.net:61311/static/jwks_61311.json",
    "post_logout_redirect_uris": ["https://op.certification.openid.net:61311/logout"],
    "redirect_uris": ["https://op.certification.openid.net:61311/authz_cb"],
    "request_uris": ["https://op.certification.openid.net:61311/requests/12d93ca2599291194c6f518cc889daad48fd32835d120c9f39fab3c5887401cb#Uzvnw4BZ705QPKX7"],
    "response_types": ["code id_token token"],
    "sector_identifier_uri": "https://op.certification.openid.net:61311/export/siu.json"
}

The sector_identifier_uri has the value https://op.certification.openid.net:61311/export/siu.json which looks good. When my IDP tries to get the URIs provided by that URI, it receives a 200 HTTP response with the following content:

[
    "https://example.com/op"
]

The test fails with the message

Expected exception did not occur Registration:OP-Registration-Sector-Bad: status=ERROR, message=Expected exception 'RegistrationError'.

Can you explain why the test expect a registration error?

[panva]

That's because the sector_identifier_uri array MUST contain all members of the client metadata redirect_uris at least at the time of registration.

In this case

[
    "https://example.com/op"
]

does not contain https://op.certification.openid.net:61311/authz_cb.

This comes from

• http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation
• http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg

You can see passing OP-Registration-Sector-Bad here.

[Spomky]

Oh I missed it!

Sorry for the noise and thank you for the example.

Regards.