I found the test is omitting the response_types param so the default is to set it as only code. Then the test performs a call to the Authorization endpoint with param response_type=code+id_token. I think the registration request should specify the response_types: [code, id_token] in the registration request.
http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
response_types OPTIONAL. JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type.
I found the test is omitting the response_types param so the default is to set it as only code. Then the test performs a call to the Authorization endpoint with param response_type=code+id_token. I think the registration request should specify the response_types: [code, id_token] in the registration request.
http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata response_types OPTIONAL. JSON array containing a list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type.
$ ./gluu_oxauth.py | oicc.py -J - -d 'mj-05' /Library/Python/2.7/site-packages/requests-2.5.1-py2.7.egg/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) /Library/Python/2.7/site-packages/requests-2.5.1-py2.7.egg/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) /Library/Python/2.7/site-packages/requests-2.5.1-py2.7.egg/requests/packages/urllib3/connectionpool.py:734: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) 0.001117 client preferences: {} 0.001193 provider-discovery 0.001237 <-- FUNCTION: discover 0.001246 <-- ARGS: {'content': None, 'features': None, 'request_args': {'state': '2psoEjQnpzdpSz8Z'}, 'location': '', 'response': None, 'issuer': u'https://localhost:8443/'} 0.048882 Provider info: {'claims_supported': [u'locality', u'country', u'name', u'email', u'given_name', u'gluuWhitePagesListed', u'formatted', u'iname', u'sub', u'family_name', u'o', u'picture', u'postal_code', u'locale', u'region', u'street_address', u'phone_number', u'zoneinfo'], 'op_policy_uri': u'http://ox.gluu.org/doku.php?id=oxauth:policy', 'subject_types_supported': [u'public', u'pairwise'], 'request_parameter_supported': True, u'id_generation_endpoint': u'https://localhost:8443/seam/resource/restv1/id', 'userinfo_signing_alg_values_supported': [u'HS256', u'HS384', u'HS512', u'RS256', u'RS384', u'RS512', u'ES256', u'ES384', u'ES512'], 'issuer': u'https://localhost:8443', 'ui_locales_supported': [u'en', u'es'], 'id_token_encryption_enc_values_supported': [u'A128CBC+HS256', u'A256CBC+HS512', u'A128GCM', u'A256GCM'], u'federation_metadata_endpoint': u'https://localhost:8443/seam/resource/restv1/oxauth/federationmetadata', 'require_request_uri_registration': False, 'grant_types_supported': [u'authorization_code', u'implicit', u'urn:ietf:params:oauth:grant-type:jwt-bearer'], 'token_endpoint': u'https://localhost:8443/seam/resource/restv1/oxauth/token', 'request_uri_parameter_supported': True, 'version': '3.0', 'claims_locales_supported': [u'en'], 'service_documentation': u'http://ox.gluu.org/doku.php?id=oxauth:home', 'registration_endpoint': u'https://localhost:8443/seam/resource/restv1/oxauth/register', u'validate_token_endpoint': u'https://localhost:8443/seam/resource/restv1/oxauth/validate', 'jwks_uri': u'https://localhost:8443/seam/resource/restv1/oxauth/jwks', 'userinfo_encryption_alg_values_supported': [u'RSA1_5', u'RSA-OAEP', u'A128KW', u'A256KW'], u'federation_endpoint': u'https://localhost:8443/seam/resource/restv1/oxauth/federation', 'scopes_supported': [u'address', u'email', u'http://docs.kantarainitiative.org/uma/scopes/authz.json', u'clientinfo', u'http://docs.kantarainitiative.org/uma/scopes/prot.json', u'openid', u'user_name', u'phone', u'profile'], 'token_endpoint_auth_methods_supported': [u'client_secret_basic', u'client_secret_post', u'client_secret_jwt', u'private_key_jwt'], 'userinfo_encryption_enc_values_supported': [u'RSA1_5', u'RSA-OAEP', u'A128KW', u'A256KW'], 'id_token_signing_alg_values_supported': [u'HS256', u'HS384', u'HS512', u'RS256', u'RS384', u'RS512', u'ES256', u'ES384', u'ES512'], 'display_values_supported': [u'page'], 'request_object_encryption_enc_values_supported': [u'A128CBC+HS256', u'A256CBC+HS512', u'A128GCM', u'A256GCM'], 'claims_parameter_supported': True, u'clientinfo_endpoint': u'https://localhost:8443/seam/resource/restv1/oxauth/clientinfo', u'end_session_endpoint': u'https://localhost:8443/seam/resource/restv1/oxauth/end_session', u'introspection_endpoint': u'https://localhost:8443/seam/resource/restv1/introspection', 'token_endpoint_auth_signing_alg_values_supported': [u'HS256', u'HS384', u'HS512', u'RS256', u'RS384', u'RS512', u'ES256', u'ES384', u'ES512'], 'userinfo_endpoint': u'https://localhost:8443/seam/resource/restv1/oxauth/userinfo', u'scope_to_claims_mapping': [{u'scope': u'address', u'claims': [u'homePostalAddress', u'street', u'st', u'postOfficeBox', u'postalCode', u'mail', u'preferredLanguage', u'zoneinfo']}, {u'scope': u'email', u'claims': [u'mail']}, {u'scope': u'http://docs.kantarainitiative.org/uma/scopes/authz.json', u'claims': [u'mail']}, {u'scope': u'clientinfo', u'claims': [u'displayName', u'uid', u'inum', u'oxAuthAppType', u'oxAuthIdTokenSignedResponseAlg', u'oxAuthRedirectURI', u'oxAuthScope']}, {u'scope': u'http://docs.kantarainitiative.org/uma/scopes/prot.json', u'claims': []}, {u'scope': u'openid', u'claims': [u'inum']}, {u'scope': u'user_name', u'claims': []}, {u'scope': u'phone', u'claims': [u'telephoneNumber', u'mobile', u'homePhone', u'facsimileTelephoneNumber']}, {u'scope': u'profile', u'claims': [u'displayName', u'givenName', u'sn', u'preferredLanguage', u'zoneinfo', u'picture']}], 'request_object_signing_alg_values_supported': [u'none', u'HS256', u'HS384', u'HS512', u'RS256', u'RS384', u'RS512', u'ES256', u'ES384', u'ES512'], 'op_tos_uri': u'http://ox.gluu.org/doku.php?id=oxauth:tos', u'check_session_iframe': u'https://localhost:8443/opiframe.seam', 'request_object_encryption_alg_values_supported': [u'RSA1_5', u'RSA-OAEP', u'A128KW', u'A256KW'], 'response_types_supported': [u'code', u'code id_token', u'id_token', u'token id_token', u'token', u'code token id_token'], 'id_token_encryption_alg_values_supported': [u'RSA1_5', u'RSA-OAEP', u'A128KW', u'A256KW'], 'authorization_endpoint': u'https://localhost:8443/seam/resource/restv1/oxauth/authorize', 'claim_types_supported': [u'normal']} 0.049488 Client behavior: {'request_object_signing_alg': 'RS256'} 0.050057 oic-registration 0.051035 --> URL: https://localhost:8443/seam/resource/restv1/oxauth/register 0.051039 --> BODY: {"application_type": "web", "request_object_signing_alg": "RS256", "redirect_uris": ["https://seed.gluu.org/oxauth-rp/home.seam"], "state": "2psoEjQnpzdpSz8Z"} 0.051046 --> HEADERS: {'Content-type': 'application/json'} 0.074666 <-- RESPONSE: <Response [200]> 0.074745 <-- CONTENT: { "client_id": "@!1111!0008!BDEF.7A45", "client_secret": "f9e82b22-0239-437e-8a50-964c61cb5f4b", "registration_access_token": "b2cf1a2c-a75d-4f2c-b507-3a28b1ca5b2d", "registration_client_uri": "https://localhost:8443/seam/resource/restv1/oxauth/register?client_id=@!1111!0008!BDEF.7A45", "client_id_issued_at": 1424720134, "client_secret_expires_at": 1424720254, "redirect_uris": ["https://seed.gluu.org/oxauth-rp/home.seam"], "response_types": ["code"], "application_type": "web", "client_name": "seed.gluu.org", "token_endpoint_auth_method": "client_secret_basic", "subject_type": "public", "request_object_signing_alg": "RS256", "id_token_signed_response_alg": "RS256", "require_auth_time": false, "scopes": [ "address", "email", "http://docs.kantarainitiative.org/uma/scopes/authz.json", "clientinfo", "http://docs.kantarainitiative.org/uma/scopes/prot.json", "openid", "user_name", "phone", "profile" ] } 0.074748 <-- REASON: OK 0.074756 <-- COOKIES: {} 0.075028 [RegistrationResponse]: {'client_id_issued_at': 1424720134, 'token_endpoint_auth_method': u'client_secret_basic', 'redirect_uris': [u'https://seed.gluu.org/oxauth-rp/home.seam'], u'scopes': [u'address', u'email', u'http://docs.kantarainitiative.org/uma/scopes/authz.json', u'clientinfo', u'http://docs.kantarainitiative.org/uma/scopes/prot.json', u'openid', u'user_name', u'phone', u'profile'], 'application_type': u'web', 'client_name': u'seed.gluu.org', 'registration_client_uri': u'https://localhost:8443/seam/resource/restv1/oxauth/register?client_id=@!1111!0008!BDEF.7A45', 'subject_type': u'public', 'id_token_signed_response_alg': u'RS256', 'registration_access_token': u'b2cf1a2c-a75d-4f2c-b507-3a28b1ca5b2d', 'response_types': [u'code'], 'client_id': u'@!1111!0008!BDEF.7A45', 'require_auth_time': False, 'client_secret': u'f9e82b22-0239-437e-8a50-964c61cb5f4b', 'request_object_signing_alg': u'RS256', 'client_secret_expires_at': 1424720254} 0.075044 ### extra claims: {u'scopes': [u'address', u'email', u'http://docs.kantarainitiative.org/uma/scopes/authz.json', u'clientinfo', u'http://docs.kantarainitiative.org/uma/scopes/prot.json', u'openid', u'user_name', u'phone', u'profile']} 0.075094 oic-login-code+idtoken 0.075333 --> URL: https://localhost:8443/seam/resource/restv1/oxauth/authorize?nonce=n7fzO0X2l7l3&state=2psoEjQnpzdpSz8Z&redirect_uri=https%3A%2F%2Fseed.gluu.org%2Foxauth-rp%2Fhome.seam&response_type=code+id_token&client_id=%40%211111%210008%21BDEF.7A45&scope=openid 0.075336 --> BODY: None 0.094088 <-- RESPONSE: <Response [400]> 0.094363 <-- CONTENT: {"error":"unsupported_response_type","error_description":"The authorization server does not support obtaining an access token using this method.","state":"2psoEjQnpzdpSz8Z"} 0.094367 <-- REASON: Bad Request 0.094386 <-- COOKIES: {'JSESSIONID': '87F27082B36A5A7937C3297EFF7F4C78'} Couldn't find the check: 'check-nonce' [RUN] ExcList: Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/oictest-0.3.0-py2.7.egg/oauth2test/init.py", line 222, in run conv.do_sequence(_spec) File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/oictest-0.3.0-py2.7.egg/rrtest/tool.py", line 357, in do_sequence self.test_sequence(oper["tests"]["post"]) File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/oictest-0.3.0-py2.7.egg/rrtest/tool.py", line 118, in test_sequence self.do_check(test, kwargs) File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/oictest-0.3.0-py2.7.egg/rrtest/tool.py", line 90, in do_check chk = self.check_factory(test)(kwargs) File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/oictest-0.3.0-py2.7.egg/oictest/check.py", line 2120, in factory raise Unknown("Couldn't find the check: '%s'" % cid) Unknown: Couldn't find the check: 'check-nonce'
[RUN] Exception: Couldn't find the check: 'check-nonce'