nonce required for test OP-nonce-NoReq-noncode when using 'code token' flow

[djfwong]

Was wondering why this test expects a nonce, it seems a nonce is only expected when id_token is sent in the request to prevent replay attacks. For this test, only 'code token' is sent, and we expect a nonce which should be optional.

Is it a requirement to pass this test for hybrid (code token) certification, if so, can I get some guidance on this issue on whether it is an issue with the OP implementation or the OP conformance test tool.

Thanks.

[zandbelt]

I think you may have encountered an issue with the test suite indeed:

The nonce is optional for the Client to provide in case the id_token is not delivered in the front channel. See https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken which says about the nonce

When using the Hybrid Flow, these additional requirements for the following ID Token Claims apply to an ID Token returned from the Authorization Endpoint:

In this OP-nonce-NoReq-noncode case a nonce is not sent but then for the code token response type the id_token is not returned from the Authorization Endpoint. I believe you're observing that not throwing an error and continue as normal makes the test suite show a failure, right?

If so I believe @selfissued and @rohe should comment.

[djfwong]

Correct the test is throwing an error and saying it is expecting an error. A python exception occurs

[zandbelt]

Please also paste the python error for our convenience.. :-)

[zandbelt]

@rohe the fix may be as simple as:

diff --git a/test_tool/cp/test_op/flows/OP-nonce-NoReq-noncode.json b/test_tool/cp/test_op/flows/OP-nonce-NoReq-noncode.json
index eea6536..f58a4bc 100644
--- a/test_tool/cp/test_op/flows/OP-nonce-NoReq-noncode.json
+++ b/test_tool/cp/test_op/flows/OP-nonce-NoReq-noncode.json
@@ -41,7 +41,6 @@
     "I",
     "IT",
     "CI",
-    "CT",
     "CIT"
   ],
   "note": "This test should result in the OpenID Provider displaying an error message in your user agent. You should ignore the status of this test in the test tool, since it will be incomplete. You must submit a screen shot of the error shown as part of your certification application.",

isn't it?

[djfwong]

********************************************************************************
Something went seriously wrong, please tell us at certification@oidf.org
********************************************************************************


Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/oidctest-0.7.3-py3.6.egg/oidctest/optt/__init__.py", line 288, in authz_post
    response=kwargs)
  File "/usr/local/lib/python3.6/dist-packages/otest-0.7.7-py3.6.egg/otest/aus/tool.py", line 225, in async_response
    response=response)
  File "/usr/local/lib/python3.6/dist-packages/otest-0.7.7-py3.6.egg/otest/aus/request.py", line 349, in parse_response
    self.expected_error_response(response)
  File "/usr/local/lib/python3.6/dist-packages/otest-0.7.7-py3.6.egg/otest/aus/request.py", line 67, in expected_error_response
    raise Break("Did not receive expected error")
otest.Break: Did not receive expected error

[selfissued]

Section 3.3.2.11. ID Token (in the Hybrid Flow section 3.3) at https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken says:

The contents of the ID Token are as described in Section 2. When using the Hybrid Flow, these additional requirements for the following ID Token Claims apply to an ID Token returned from the Authorization Endpoint:

nonce
Use of the nonce Claim is REQUIRED for this flow.

Requiring a nonce for this Hybrid flow response_type value is not a test bug. Can a maintainer of this project please close this bug on this basis? I apparently don't have the rights to do so. Thanks.

[zandbelt]

the point is that there is no id_token returned from the authorization endpoint in "code token" which voids the additional requirements

[selfissued]

This has been explicitly discussed by the working group in the past. 3.3.2.11 is clear that the request must contain a nonce and the nonce must be present in the issued ID Token for all hybrid flows. The fact that the ID Token is returned from the Token Endpoint doesn't invalidate this requirement.

In fact, this is parallel to the requirement in the code flow that if a nonce is present in the request, a nonce value must be present in the issued ID Token (which is also returned from the Token Endpoint). This is in 3.1.3.7, which says:
If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.

Section 2 (ID Token) also says:
nonce
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.

[zandbelt]

Ok, then the sentence in the spec should omit the " returned from the Authorization Endpoint" postfix since it also applies to an ID token returned from the Token Endpoint.

[zandbelt]

@djfwong so your implementation should throw an error on not receiving a nonce in the CT flow

[zandbelt]

See also: https://bitbucket.org/openid/connect/issues/1052/make-clear-that-nonce-is-always-required

[zandbelt]

Some more digging reveals that this was explicitly included in the test suite since May 11, 2017 in:
openid-certification@b760284#diff-d5db77b90cf26c20d039b9de86be910b
as the outcome of issue:
openid-certification#14
so it has been there ever since we started versioning with "the new OP suite" version 2.0.0 that is live since Jul 5, 2017.
It was not part of the "old OP suite" before that.

[b---c]

https://bitbucket.org/openid/connect/issues/1052 was closed but the friendly discussion around it resulted in https://bitbucket.org/openid/connect/issues/972 being reopened and resolved with a different and now correct outcome. As such, I'd respectfully request that this issue be addressed so as to not have a test that requires the nonce when the response type is 'code token'.