search

openid-certification / oidctest

THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net
Other
49 stars 15 forks source link

rp-backchannel-rpinitlogout: post_logout_redirect_uri should not be required #187

Closed zandbelt closed 4 years ago

zandbelt commented 4 years ago

When executing rp-backchannel-rpinitlogout and not providing a post_logout_redirect_uri parameter, the following error results in the browser:

400 Bad Request
{"error": "invalid_request", "error_description": "Missing post_logout_redirect_uri"}

According to https://openid.net/specs/openid-connect-session-1_0.html#RPLogout the post_logout_redirect_uri is optional so a request that does not have one should be accepted.

rohe commented 4 years ago

This is changed in the new pyOIDC version. Soon to be approved.

rohe commented 4 years ago

Should be resolved now

zandbelt commented 4 years ago

verified against the latest logout code and pyoidc 1.1.1

zandbelt commented 4 years ago

well, it seems to be back now:

rp-test_1 | 192.168.16.1 - - [11/Nov/2019:08:51:08] "GET /mod_auth_openidc-code/rp-backchannel-rpinitlogout/end_session?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6ImFyVDJiVDgwY1N5SDhCZzQ5cHFzeFVfWktkaTE5d3BfUjA5bEF0V1JqeVkifQ.eyJpc3MiOiAiaHR0cHM6Ly9ycC10ZXN0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCIsICJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJhdWQiOiBbImxnMVRjeHlIRW1zTCJdLCAiZXhwIjogMTU3MzU0ODY2OCwgImFjciI6ICJQQVNTV09SRCIsICJpYXQiOiAxNTczNDYyMjY4LCAiYXV0aF90aW1lIjogMTU3MzQ2MjI2OCwgIm5vbmNlIjogIjZpNG5hNDI5TG1MeWJfQVYxZnQ1aUtSVC1ZSnR1WVQ3ZUphdVh1aGlKbmMifQ.gpL2gCl7s-qCwl0hwMqBgEG-QO5ei7OweIkpqQzkM8fLxaquxJnXzCLagr3KMXBnpxCk96jz34uoslm-Y-EQ6NqSLoxL-w803fIJ_BEVa5zZvXOH5uo0Fls1uQnQXYXlBp18vGxZKLtwXIin0g5tx2K5OWL8YcGtF9cxhwCAWk9ud6cMC_BjYJAHN9bamUkB_3NinkJcQiHXodJge4dtNVKYWXFilvuXuYOAB5ucjUVE4VRZOloQ6_l2hflx434ZkVoM1q86yJf4F2c0cmSzu8v4yHETTJYRkzL3G94XLEQC4TmIT18w76Y0YidKYD7ITmPpgqimBShwBpZLxykOCg HTTP/1.1" 400 794 "" "curl/7.66.0"

results in:

Content-Type: text/html;charset=utf-8
Server: CherryPy/8.9.1
Date: Mon, 11 Nov 2019 08:51:08 GMT
Allow: GET, OPTIONS, HEAD
Content-Length: 794
Set-Cookie: session_id=64544e3acaa4180cf220b07583d6bdad58397250; expires=Mon, 11 Nov 2019 09:51:08 GMT; Path=/

<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>400 Bad Request</title>
    <style type="text/css">
    #powered_by {
        margin-top: 20px;
        border-top: 2px solid black;
        font-style: italic;
    }

    #traceback {
        color: red;
    }
    </style>
</head>
    <body>
        <h2>400 Bad Request</h2>
        <p>{"error": "invalid_request", "error_description": "Missing post_logout_redirect_uri"}</p>
        <pre id="traceback"></pre>
    <div id="powered_by">
      <span>
        Powered by <a href="http://www.cherrypy.org">CherryPy 8.9.1</a>
      </span>
    </div>
    </body>
</html>
rohe commented 4 years ago

You're sure you're running the latest pyoidc version ?

zandbelt commented 4 years ago

just doublechecked (after removing some old versions first as well) : 


hzandbelt@new-rp:/usr/local/oidf/oidc_cp_rplib$ pip freeze | grep oic
oic==1.1.1
``
rohe commented 4 years ago

OK, you where running this test on your own test suite installation. Right ? Can't find anything like this on new_rp. I'd like to see more of the logs.

zandbelt commented 4 years ago

just ran on new-rp as below

2019-11-12 07:39:01,394 oidctest.cp.op:INFO ent:212.84.155.17, vpath: ['mod_auth_openidc-code', 'rp-backchannel-rpinitlogout', 'end_session']
2019-11-12 07:39:01,394 oidctest.cp.op:DEBUG EndSessionRequest: {'id_token_hint': 'eyJhbGciOiJSUzI1NiIsImtpZCI6Im1Fa2MxbFF5Z29VMTBqMk5sVUUtWVlCdjJ1b2FKMXhHLUZua0dxZlRsRzAifQ.eyJpc3MiOiAiaHR0cHM6Ly9uZXctcnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCIsICJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJhdWQiOiBbImczOThLaXFZNDJvcCJdLCAiZXhwIjogMTU3MzYzMDc0MCwgImFjciI6ICJQQVNTV09SRCIsICJpYXQiOiAxNTczNTQ0MzQwLCAiYXV0aF90aW1lIjogMTU3MzU0NDMzOSwgIm5vbmNlIjogImdPVi1MX2VaU2szd25nUmdqb2NMYUZ6elRONUZORXFiUDhkMFQ5MzItSkkifQ.vgOfMGDfNZrpHxdECNJOnZd1fjcon2cYaGI8nqlUrAXukr_1gDnQp8JyWHSpNQ8KMRtS0vEkSUK6m0pc4O6TcyiDpFCGw8fuvd5BbGWcRz_jQtNESSBFrngqYf9UMmOiesA2y7Rw8WCWRINPLDDBnEfx8htJt57wCxgf9IPTZqBzK3F9hq3DTXgRhgaIKAdNnuSD9hj0JzN23wUTfsovVMFeIazE1rtI259CbadQXWGVKPHkyQ7E2xXpvT-WVeeCvJ3zrbZodwe3OCOdDsDQ3aQGWi3lazjz-54UFAV3Ejv-GsGZ4vHBF3ENGiK3YTkPIYfouYW0ra2s6UziGKy0fw'}
2019-11-12 07:39:01,394 oidctest.cp.op:DEBUG Request cookie at end_session_endpoint: Set-Cookie: pyoidc_sso="1573544339|wgDyLrQDbGC+HbBzlgtYgw==|P4yyP+IloBGITDHTJxsDFkelBWqx/3BIDLWRY6pcQwOJZUSi|C8SjBS+Z/mJUkkiaz0Jfyg=="
Set-Cookie: session_id=e39cb123a2388f7b5b6660608aa23770302445e9
2019-11-12 07:39:01,395 oic.oic.provider:DEBUG End session request: {'id_token_hint': 'eyJhbGciOiJSUzI1NiIsImtpZCI6Im1Fa2MxbFF5Z29VMTBqMk5sVUUtWVlCdjJ1b2FKMXhHLUZua0dxZlRsRzAifQ.eyJpc3MiOiAiaHR0cHM6Ly9uZXctcnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCIsICJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJhdWQiOiBbImczOThLaXFZNDJvcCJdLCAiZXhwIjogMTU3MzYzMDc0MCwgImFjciI6ICJQQVNTV09SRCIsICJpYXQiOiAxNTczNTQ0MzQwLCAiYXV0aF90aW1lIjogMTU3MzU0NDMzOSwgIm5vbmNlIjogImdPVi1MX2VaU2szd25nUmdqb2NMYUZ6elRONUZORXFiUDhkMFQ5MzItSkkifQ.vgOfMGDfNZrpHxdECNJOnZd1fjcon2cYaGI8nqlUrAXukr_1gDnQp8JyWHSpNQ8KMRtS0vEkSUK6m0pc4O6TcyiDpFCGw8fuvd5BbGWcRz_jQtNESSBFrngqYf9UMmOiesA2y7Rw8WCWRINPLDDBnEfx8htJt57wCxgf9IPTZqBzK3F9hq3DTXgRhgaIKAdNnuSD9hj0JzN23wUTfsovVMFeIazE1rtI259CbadQXWGVKPHkyQ7E2xXpvT-WVeeCvJ3zrbZodwe3OCOdDsDQ3aQGWi3lazjz-54UFAV3Ejv-GsGZ4vHBF3ENGiK3YTkPIYfouYW0ra2s6UziGKy0fw'}
2019-11-12 07:39:01,396 oic.oauth2.message:DEBUG Raw JSON: {'iss': 'https://new-rp.certification.openid.net:8080/mod_auth_openidc-code/rp-backchannel-rpinitlogout', 'sub': '1b2fc9341a16ae4e30082965d537ae47c21a0f27fd43eab78330ed81751ae6db', 'aud': ['g398KiqY42op'], 'exp': 1573630740, 'acr': 'PASSWORD', 'iat': 1573544340, 'auth_time': 1573544339, 'nonce': 'gOV-L_eZSk3wngRgjocLaFzzTN5FNEqbP8d0T932-JI'}
2019-11-12 07:39:01,396 oic.oauth2.message:DEBUG JWS header: {'alg': 'RS256', 'kid': 'mEkc1lQygoU10j2NlUE-YYBv2uoaJ1xG-FnkGqfTlG0'}
2019-11-12 07:39:01,396 oic.oauth2.message:DEBUG Found signing key.
2019-11-12 07:39:01,396 jwkest.jws:DEBUG Picking key by key type=RSA
2019-11-12 07:39:01,396 jwkest.jws:DEBUG Picking key based on alg=RS256, kid=mEkc1lQygoU10j2NlUE-YYBv2uoaJ1xG-FnkGqfTlG0 and use=
2019-11-12 07:39:01,396 jwkest.jws:DEBUG Picked: kid:mEkc1lQygoU10j2NlUE-YYBv2uoaJ1xG-FnkGqfTlG0, use:sig, kty:RSA
2019-11-12 07:39:01,396 jwkest.jws:DEBUG Picked: kid:mEkc1lQygoU10j2NlUE-YYBv2uoaJ1xG-FnkGqfTlG0, use:sig, kty:RSA
2019-11-12 07:39:01,397 jwkest.jws:DEBUG Verified message using key with kid=mEkc1lQygoU10j2NlUE-YYBv2uoaJ1xG-FnkGqfTlG0
2019-11-12 07:39:01,397 oic.oauth2:ERROR invalid_request
2019-11-12 07:39:01,397 oidctest.cp.op:DEBUG Error - Status:400, message:{"error": "invalid_request", "error_description": "Missing post_logout_redirect_uri"}
2019-11-12 07:39:01,398 cherrypy.access.140534150054464:INFO 212.84.155.17 - - [12/Nov/2019:07:39:01] "GET /mod_auth_openidc-code/rp-backchannel-rpinitlogout/end_session?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6Im1Fa2MxbFF5Z29VMTBqMk5sVUUtWVlCdjJ1b2FKMXhHLUZua0dxZlRsRzAifQ.eyJpc3MiOiAiaHR0cHM6Ly9uZXctcnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0OjgwODAvbW9kX2F1dGhfb3BlbmlkYy1jb2RlL3JwLWJhY2tjaGFubmVsLXJwaW5pdGxvZ291dCIsICJzdWIiOiAiMWIyZmM5MzQxYTE2YWU0ZTMwMDgyOTY1ZDUzN2FlNDdjMjFhMGYyN2ZkNDNlYWI3ODMzMGVkODE3NTFhZTZkYiIsICJhdWQiOiBbImczOThLaXFZNDJvcCJdLCAiZXhwIjogMTU3MzYzMDc0MCwgImFjciI6ICJQQVNTV09SRCIsICJpYXQiOiAxNTczNTQ0MzQwLCAiYXV0aF90aW1lIjogMTU3MzU0NDMzOSwgIm5vbmNlIjogImdPVi1MX2VaU2szd25nUmdqb2NMYUZ6elRONUZORXFiUDhkMFQ5MzItSkkifQ.vgOfMGDfNZrpHxdECNJOnZd1fjcon2cYaGI8nqlUrAXukr_1gDnQp8JyWHSpNQ8KMRtS0vEkSUK6m0pc4O6TcyiDpFCGw8fuvd5BbGWcRz_jQtNESSBFrngqYf9UMmOiesA2y7Rw8WCWRINPLDDBnEfx8htJt57wCxgf9IPTZqBzK3F9hq3DTXgRhgaIKAdNnuSD9hj0JzN23wUTfsovVMFeIazE1rtI259CbadQXWGVKPHkyQ7E2xXpvT-WVeeCvJ3zrbZodwe3OCOdDsDQ3aQGWi3lazjz-54UFAV3Ejv-GsGZ4vHBF3ENGiK3YTkPIYfouYW0ra2s6UziGKy0fw HTTP/1.1" 400 794 "" "curl/7.66.0"
rohe commented 4 years ago

OK, know what it is. Needs a modification of pyOIDC. :-(

rohe commented 4 years ago

Pushed a PR to that effect.

rohe commented 4 years ago

The PR has been accepted and merged into the pyOIDC master.

zandbelt commented 4 years ago

in the latest release now https://github.com/openid-certification/oidctest/releases/tag/v1.2.3